[mosh-devel] mosh 1.2.1 released

Keith Winstein keithw at MIT.EDU
Fri May 25 18:33:11 EDT 2012 

Hello Mosh users and developers,

mosh 1.2.1 has been released.

The source code is at:
https://github.com/downloads/keithw/mosh/mosh-1.2.1.tar.gz

This release fixes a number of issues with mosh 1.2:

* Ignore nonsensical escape sequences. Timo Juhani Lindfors found that
mosh faithfully interprets even very large "repeat" counts in ANSI
escape sequences, allowing a malicious application to cause the
mosh-server to use a lot of CPU time trying to execute a short ANSI
escape sequence. The same sequences can allow a malicious mosh-server
to cause the mosh-client to use a lot of CPU time. Mosh 1.2.1 ignores
these large repeat counts. This issue has been tagged as
CVE-2012-2385.

* Improve performance on lossy links

* Give the user a helpful diagnostic when the link is dead in only one
 direction

* Use less CPU when link is down (Keegan McAllister)

* Use less memory when mosh-server is malicious.

* Fix a vttest regression re: wrapping and tabs.

* Enable a roundtrip verifier of terminal emulator correctness when
 the server is verbose.

* Remove skalibs as a dependency (Keegan McAllister)

* Remove use of poll() and the OS X poll workaround in favor of
 pselect(), which we think works everywhere (Keegan McAllister)

* Include a bash_completion file (ejeffrey)

* Include a firewall profile for UFW (Fumihito YOSHIDA)

* Warning on out-of-order/duplicated datagrams (or failed nonce increment).

* Clearer error message on invalid port number.

* Cleanups to quit scenario when firewalled.

===

mosh 1.2.1 is backwards-compatible with mosh clients back to 0.96 and
mosh servers back to 1.0.9. Please let us know of any problems
(https://github.com/keithw/mosh/issues).

Best regards from the Mosh team,
Keith

On Thu, Apr 26, 2012 at 3:06 AM, Keith Winstein <keithw at mit.edu> wrote:
> Hello Mosh users and developers,
>
> mosh 1.2 has been released.
>
> The source code is at: https://github.com/downloads/keithw/mosh/mosh-1.2.tar.gz
>
> This version polishes a number of rough edges, and especially:
>
> * Boost is no longer required to compile Mosh
>
> * Mosh passes the locale over the connection for users who don't have
> SSH configured to do so
>
> * Mosh provides more helpful diagnostics
>
> * The client has a --ssh= option to give options to the startup SSH,
> including setting a port number or key file
>
> * Mosh uses compiler hardening flags when available
>
> * Added support for FreeBSD, Cygwin, RHEL/CentOS 5, OS X 10.5 on PPC
>
> * Improved support for OS X 10.6 and ARM platforms.
>
> * Many bug fixes and some performance improvements
>
> ===
>
> The new version is backwards-compatible with mosh clients back to 0.96
> and mosh servers back to 1.0.9, but to realize some of these benefits
> you will need version 1.2 installed on both client and server. Please
> let us know of any problems (https://github.com/keithw/mosh/issues).
>
> Best regards from the Mosh team,
> Keith

More information about the mosh-devel mailing list