This is primarily a bugfix release.
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening
* ssh-add(1): new -k option to load plain keys (skipping certificates)
* sshd(8): Add wildcard support to PermitOpen, allowing things like
"PermitOpen localhost:*". bz #1857
* ssh(1): support for cancelling local and remote port forwards via the
multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user at host"
to request the cancellation of the specified forwardings
* support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before
using it to extract xauth data so that it can't be used to play local
shell metacharacter games.
* ssh(1): unbreak remote portforwarding with dynamic allocated listen ports
* scp(1): uppress adding '--' to remote commandlines when the first
argument does not start with '-'. saves breakage on some
difficult-to-upgrade embedded/router platforms
* ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class,
but there is an "AF21" class
* ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during
rekeying
* ssh(1): skip attempting to create ~/.ssh when -F is passed
* sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943
* sshd(1): send tty break to pty master instead of (probably already
closed) slave side; bz#1859
* sftp(1): silence error spam for "ls */foo" in directory with files;
bz#1683
* Fixed a number of memory and file descriptor leaks
Portable OpenSSH:
* Add a new privilege separation sandbox implementation for Linux's
new seccomp sandbox, automatically enabled on platforms that support
it. (Note: privilege separation sandboxing is still experimental)
* Fix compilation problems on FreeBSD, where libutil contained openpty()
but not login().
* ssh-keygen(1): don't fail in -A on platforms that don't support ECC
* Add optional support for LDNS, a BSD licensed DNS resolver library
which supports DNSSEC
* Relax OpenSSL version check to allow running OpenSSH binaries on
systems with OpenSSL libraries with a newer "fix" or "patch" level
than the binaries were originally compiled on (previous check only
allowed movement within "patch" releases). bz#1991
* Fix builds using contributed Redhat spec file. bz#1992