1 files changed, 64 insertions, 3 deletions

diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst
index 0a9978c1..b01e596d 100644
--- a/sites/www/changelog.rst
+++ b/sites/www/changelog.rst
@@ -2,6 +2,7 @@
 Changelog
 =========
 
+- :release:`2.2.4 <2018-09-18>`
 - :release:`2.1.6 <2018-09-18>`
 - :release:`2.0.9 <2018-09-18>`
 - :bug:`-` Modify protocol message handling such that ``Transport`` does not
@@ -38,6 +39,7 @@ Changelog
   ``black`` code formatter (both of which previously only existed in the 2.4
   branch and above) to everything 2.0 and newer. This makes back/forward
   porting bugfixes significantly easier.
+- :release:`2.2.3 <2018-03-12>`
 - :release:`2.1.5 <2018-03-12>`
 - :release:`2.0.8 <2018-03-12>`
 - :release:`1.18.5 <2018-03-12>`
@@ -47,13 +49,22 @@ Changelog
   where authentication status was not checked before processing channel-open
   and other requests typically only sent after authenticating. Big thanks to
   Matthijs Kooijman for the report.
+- :bug:`1039` Ed25519 auth key decryption raised an unexpected exception when
+  given a unicode password string (typical in python 3). Report by Theodor van
+  Nahl and fix by Pierce Lopez.
 - :bug:`1108 (1.17+)` Rename a private method keyword argument (which was named
   ``async``) so that we're compatible with the upcoming Python 3.7 release
   (where ``async`` is a new keyword.) Thanks to ``@vEpiphyte`` for the report.
 - :support:`- backported` Include LICENSE file in wheel archives.
+- :release:`2.2.2 <2017-09-18>`
 - :release:`2.1.4 <2017-09-18>`
 - :release:`2.0.7 <2017-09-18>`
 - :release:`1.18.4 <2017-09-18>`
+- :bug:`1065` Add rekeying support to GSSAPI connections, which was erroneously
+  missing. Without this fix, any attempt to renegotiate the transport keys for
+  a ``gss-kex``-authed `~paramiko.transport.Transport` would cause a MIC
+  failure and terminate the connection. Thanks to Sebastian Deiß and Anselm
+  Kruis for the patch.
 - :bug:`1061` Clean up GSSAPI authentication procedures so they do not prevent
   normal fallback to other authentication methods on failure. (In other words,
   presence of GSSAPI functionality on a target server precluded use of _any_
@@ -71,6 +82,18 @@ Changelog
   consider a different type to be a "Missing" host key. This fixes a common
   case where an ECDSA key is in known_hosts and the server also has an RSA host
   key. Thanks to Pierce Lopez.
+- :support:`1012` (via :issue:`1016`) Enhance documentation around the new
+  `SFTP.posix_rename <paramiko.sftp_client.SFTPClient.posix_rename>` method so
+  it's referenced in the 'standard' ``rename`` method for increased visibility.
+  Thanks to Marius Flage for the report.
+- :release:`2.2.1 <2017-06-13>`
+- :bug:`993` Ed25519 host keys were not comparable/hashable, causing an
+  exception if such a key existed in a ``known_hosts`` file. Thanks to Oleh
+  Prypin for the report and Pierce Lopez for the fix.
+- :bug:`990` The (added in 2.2.0) ``bcrypt`` dependency should have been on
+  version 3.1.3 or greater (was initially set to 3.0.0 or greater.) Thanks to
+  Paul Howarth for the report.
+- :release:`2.2.0 <2017-06-09>`
 - :release:`2.1.3 <2017-06-09>`
 - :release:`2.0.6 <2017-06-09>`
 - :release:`1.18.3 <2017-06-09>`
@@ -99,9 +122,30 @@ Changelog
 
   Thanks to ``@virlos`` for the original report, Chris Harris and ``@ibuler``
   for initial draft PRs, and ``@jhgorrell`` for the final patch.
-- :support:`956 (1.17+)` Switch code coverage service from coveralls.io to
-  codecov.io (& then disable the latter's auto-comments.) Thanks to Nikolai
-  Røed Kristiansen for the patch.
+- :feature:`65` (via :issue:`471`) Add support for OpenSSH's SFTP
+  ``posix-rename`` protocol extension (section 3.3 of `OpenSSH's protocol
+  extension document
+  <http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL?rev=1.31>`_),
+  via a new ``posix_rename`` method in `SFTPClient
+  <paramiko.sftp_client.SFTPClient.posix_rename>` and `SFTPServerInterface
+  <paramiko.sftp_si.SFTPServerInterface.posix_rename>`. Thanks to Wren Turkal
+  for the initial patch & Mika Pflüger for the enhanced, merged PR.
+- :feature:`869` Add an ``auth_timeout`` kwarg to `SSHClient.connect
+  <paramiko.client.SSHClient.connect>` (default: 30s) to avoid hangs when the
+  remote end becomes unresponsive during the authentication step. Credit to
+  ``@timsavage``.
+
+  .. note::
+    This technically changes behavior, insofar as very slow auth steps >30s
+    will now cause timeout exceptions instead of completing. We doubt most
+    users will notice; those affected can simply give a higher value to
+    ``auth_timeout``.
+
+- :support:`921` Tighten up the ``__hash__`` implementation for various key
+  classes; less code is good code. Thanks to Francisco Couzo for the patch.
+- :support:`956 backported (1.17+)` Switch code coverage service from
+  coveralls.io to codecov.io (& then disable the latter's auto-comments.)
+  Thanks to Nikolai Røed Kristiansen for the patch.
 - :bug:`983` Move ``sha1`` above the now-arguably-broken ``md5`` in the list of
   preferred MAC algorithms, as an incremental security improvement for users
   whose target systems offer both. Credit: Pierce Lopez.
@@ -109,6 +153,15 @@ Changelog
   2.0; but since the algorithm is now known to be completely insecure, we are
   opting to remove support outright instead of fixing it. Thanks to Alex Gaynor
   for catch & patch.
+- :feature:`857` Allow `SSHClient.set_missing_host_key_policy
+  <paramiko.client.SSHClient.set_missing_host_key_policy>` to accept policy
+  classes _or_ instances, instead of only instances, thus fixing a
+  long-standing gotcha for unaware users.
+- :feature:`951` Add support for ECDH key exchange (kex), specifically the
+  algorithms ``ecdh-sha2-nistp256``, ``ecdh-sha2-nistp384``, and
+  ``ecdh-sha2-nistp521``. They now come before the older ``diffie-hellman-*``
+  family of kex algorithms in the preferred-kex list. Thanks to Shashank
+  Veerapaneni for the patch & Pierce Lopez for a follow-up.
 - :support:`- backported` A big formatting pass to clean up an enormous number
   of invalid Sphinx reference links, discovered by switching to a modern,
   rigorous nitpicking doc-building mode.
@@ -122,6 +175,14 @@ Changelog
   to hosts which only offer these key types and no others. This is now fixed.
   Thanks to ``@ncoult`` and ``@kasdoe`` for reports and Pierce Lopez for the
   patch.
+- :feature:`325` (via :issue:`972`) Add Ed25519 support, for both host keys
+  and user authentication. Big thanks to Alex Gaynor for the patch.
+
+  .. note::
+    This change adds the ``bcrypt`` and ``pynacl`` Python libraries as
+    dependencies. No C-level dependencies beyond those previously required (for
+    Cryptography) have been added.
+
 - :support:`974 backported` Overhaul the codebase to be PEP-8, etc, compliant
   (i.e. passes the maintainer's preferred `flake8 <http://flake8.pycqa.org/>`_
   configuration) and add a ``flake8`` step to the Travis config. Big thanks to