From markus at openbsd.org  Thu Mar  7 22:55:57 2002
From: markus at openbsd.org (Markus Friedl)
Date: Thu, 7 Mar 2002 12:55:57 +0100
Subject: [openssh-unix-announce] OpenSSH 3.1 released
Message-ID: <20020307115557.GA8914@faui02>

OpenSSH 3.1 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued
support and encouragement.


Important Changes:
==================

- /etc/ssh/ now default directory for keys and configuration files
- ssh-keygen no longer defaults to a specific key type (rsa1);
  use ssh-keygen -t {rsa,dsa,rsa1}
- sshd x11 forwarding listens on localhost by default;
  see sshd X11UseLocalhost option to revert to prior behaviour
  if your older X11 clients do not function with this configuration


Other Changes:
==============

- ssh ~& escape char functions now for both protocol versions
- sshd ReverseMappingCheck option changed to VerifyReverseMapping
  to clarify its function; ReverseMappingCheck can still be used
- public key fingerprint is now logged with LogLevel=VERBOSE
- reason logged for disallowed logins (e.g., no shell, etc.)
- more robust error handling for x11 forwarding
- improved packet/window size handling in ssh2
- use of regex(3) has been removed
- fix SIGCHLD races in sshd (seen on Solaris)
- sshd -o option added
- sftp -B -R -P options added
- ssh-add now adds all 3 default keys
- ssh-keyscan bug fixes
- ssh-askpass for hostkey dialog
- fix fd leak in sshd on SIGHUP
- TCP_NODELAY set on X11 and TCP forwarding endpoints


OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller and Ben Lindstrom.


From markus at openbsd.org  Thu Mar  7 22:56:33 2002
From: markus at openbsd.org (Markus Friedl)
Date: Thu, 7 Mar 2002 12:56:33 +0100
Subject: [openssh-unix-announce] OpenSSH Security Advisory (adv.channelalloc)
Message-ID: <20020307115633.GA8924@faui02>

1. Systems affected:

	All versions of OpenSSH between 2.0 and 3.0.2 contain
	an off-by-one error in the channel code.

	OpenSSH 3.1 and later are not affected.

2. Impact:

        This bug can be exploited locally by an authenticated user
        logging into a vulnerable OpenSSH server or by a malicious
        SSH server attacking a vulnerable OpenSSH client.
	
3. Solution:

	Upgrade to OpenSSH 3.1 or apply the following patch.

4. Credits:

	This bug was discovered by Joost Pol <joost at pine.nl>


Appendix:

Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.170
retrieving revision 1.171
diff -u -r1.170 -r1.171
--- channels.c	27 Feb 2002 21:23:13 -0000	1.170
+++ channels.c	4 Mar 2002 19:37:58 -0000	1.171
@@ -146,7 +146,7 @@
 {
 	Channel *c;
 
-	if (id < 0 || id > channels_alloc) {
+	if (id < 0 || id >= channels_alloc) {
 		log("channel_lookup: %d: bad id", id);
 		return NULL;
 	}