[mosh-devel] Please test mosh 1.2.1 release candidate

[Keith Winstein]

Hello all,

Please test the mosh 1.2.1 release candidate before it is released later 
this week.

 	https://github.com/downloads/keithw/mosh/mosh-1.2.0.97.tar.gz

This fixes a number of issues in mosh 1.2, including the ability of evil 
applications to cause the mosh-server to use a lot of CPU time trying 
execute a short ANSI escape sequence with a huge "repeat" count. The same 
sequences can allow a malicious mosh-server to cause the mosh-client to 
use a lot of CPU time.

Timo Juhani Lindfors reported this issue to Fedora, which requested a CVE 
(CVE-2012-2385) on the grounds that it is a denial of service by the 
application against the mosh-server or by the mosh-server against the 
mosh-client. We don't generally consider this kind of issue to be security 
related, since the application is already trusted to decide what it on the 
screen, and can do things like shut off the keyboard. But it makes for 
more robust terminal emulation to ignore these gigantic repeat counts 
rather than getting stuck in a huge loop.

This release will also:

* Improve performance on lossy links

* Give the user a helpful diagnostic when the link is dead in only one
   direction

* Use less CPU when link is down (Keegan McAllister)

* Use less memory when mosh-server is malicious.

* Fix a vttest regression re: wrapping and tabs.

* Enable a roundtrip verifier of terminal emulator correctness when
   the server is verbose.

* Remove skalibs as a dependency (Keegan McAllister)

* Remove use of poll() and the OS X poll workaround in favor of
   pselect(), which we think works everywhere (Keegan McAllister)

* Include a bash_completion file (ejeffrey)

* Include a firewall profile for UFW (Fumihito YOSHIDA)

Please report any feedback to the list or by filing a new issue on GitHub 
(https://github.com/keithw/mosh/issues).

Thanks very much,
Keith
for the Mosh project