[openssh-commits] [openssh] 04/04: upstream: mention that compression could potentially leak

git+noreply at mindrot.org git+noreply at mindrot.org
Thu May 21 14:06:51 AEST 2026 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit a5a1b7e75389231bf817433d93f15732ba13c0ad
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Thu May 21 04:04:57 2026 +0000

    upstream: mention that compression could potentially leak
    
    information about session contents (cf. the CRIME attack on TLS) if a
    connection allows attacker- controlled traffic over it alongside trused
    traffic. This might occur in some forwarding scenarios.
    
    with deraadt@
    
    OpenBSD-Commit-ID: 03d145cdbf3a8713e8309724b5c9a9b76c317749
---
 ssh_config.5  | 11 +++++++++--
 sshd_config.5 | 11 +++++++++--
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/ssh_config.5 b/ssh_config.5
index b459b0449..50962fa71 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.423 2026/03/23 01:33:46 djm Exp $
-.Dd $Mdocdate: March 23 2026 $
+.\" $OpenBSD: ssh_config.5,v 1.424 2026/05/21 04:04:57 djm Exp $
+.Dd $Mdocdate: May 21 2026 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -648,6 +648,13 @@ The argument must be
 or
 .Cm no
 (the default).
+.Pp
+Compression applies to all traffic that flows over the SSH connection.
+If untrusted traffic (such as an open port-forward) is permitted over the
+connection alongside trusted traffic, then compression may leak information
+about session contents.
+For this reason, it is not recommended to enable compression for connections
+that share trusted and untrusted traffic.
 .It Cm ConnectionAttempts
 Specifies the number of tries (one per second) to make before exiting.
 The argument must be an integer.
diff --git a/sshd_config.5 b/sshd_config.5
index 3f5e29812..4112166ec 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.397 2026/03/28 05:07:12 djm Exp $
-.Dd $Mdocdate: March 28 2026 $
+.\" $OpenBSD: sshd_config.5,v 1.398 2026/05/21 04:04:57 djm Exp $
+.Dd $Mdocdate: May 21 2026 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -633,6 +633,13 @@ or
 .Cm no .
 The default is
 .Cm yes .
+.Pp
+Compression applies to all traffic that flows over the SSH connection.
+If untrusted traffic (such as an open port-forward) is permitted over the
+connection alongside trusted traffic, then compression may leak information
+about session contents.
+For this reason, it is not recommended to enable compression for connections
+that share trusted and untrusted traffic.
 .It Cm DenyGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list