From markus at openbsd.org Tue Sep 16 22:06:59 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 16 Sep 2003 14:06:59 +0200 Subject: [openssh-unix-announce] OpenSSH 3.7 released Message-ID: <20030916120659.GA16027@folly> OpenSSH 3.7 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters. We have a new design of T-shirt available, more info on http://www.openbsd.org/tshirts.html#18 For international orders use http://https.openbsd.org/cgi-bin/order and for European orders, use http://https.openbsd.org/cgi-bin/order.eu Security Changes: ================= All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively. OpenSSH 3.7 fixes this bug. Changes since OpenSSH 3.6.1: ============================ * The entire OpenSSH code-base has undergone a license review. As a result, all non-ssh1.x code is under a BSD-style license with no advertising requirement. Please refer to README in the source distribution for the exact license terms. * Rhosts authentication has been removed in ssh(1) and sshd(8). * Changes in Kerberos support: - KerberosV password support now uses a file cache instead of a memory cache. - KerberosIV and AFS support has been removed. - KerberosV support has been removed from SSH protocol 1. - KerberosV password authentication support remains for SSH protocols 1 and 2. - This release contains some GSSAPI user authentication support to replace legacy KerberosV authentication support. At present this code is still considered experimental and SHOULD NOT BE USED. * Changed order that keys are tried in public key authentication. The ssh(1) client tries the keys in the following order: 1. ssh-agent(1) keys that are found in the ssh_config(5) file 2. remaining ssh-agent(1) keys 3. keys that are only listed in the ssh_config(5) file This helps when an ssh-agent(1) has many keys, where the sshd(8) server might close the connection before the correct key is tried. * SOCKS5 support has been added to the dynamic forwarding mode in ssh(1). * Removed implementation barriers to operation of SSH over SCTP. * sftp(1) client can now transfer files with quote characters in their filenames. * Replaced sshd(8)'s VerifyReverseMapping with UseDNS option. When UseDNS option is on, reverse hostname lookups are always performed. * Fix a number of memory leaks. * Support for sending tty BREAK over SSH protocol 2. * Workaround for other vendor bugs in KEX guess handling. * Support for generating KEX-GEX groups (/etc/moduli) in ssh-keygen(1). * Automatic re-keying based on amount of data sent over connection. * New AddressFamily option on client to select protocol to use (IPv4 or IPv6). * Experimental support for the "aes128-ctr", "aes192-ctr", and "aes256-ctr" ciphers for SSH protocol 2. * Experimental support for host keys in DNS (draft-ietf-secsh-dns-xx.txt). Please see README.dns in the source distribution for details. * Portable OpenSSH: - Replace PAM password authentication kludge with a more correct PAM challenge-response module from FreeBSD. - PAM support may now be enabled/disabled at runtime using the UsePAM directive. - Many improvements to the OpenSC smartcard support. - Regression tests now work with portable OpenSSH. Please refer to regress/README.regress in the source distribution. - On platforms that support it, portable OpenSSH now honors the UMASK, PATH and SUPATH attributes set in /etc/default/login. - Deny access to locked accounts, regardless of authentication method in use. Checksums: ========== - MD5 (openssh-3.7.tgz) = 86864ecc276c5f75b06d4872a553fa70 - MD5 (openssh-3.7p1.tar.gz) = 77662801ba2a9cadc0ac10054bc6cb37 Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice. From markus at openbsd.org Tue Sep 16 22:32:18 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 16 Sep 2003 14:32:18 +0200 Subject: [openssh-unix-announce] OpenSSH Security Advisory: buffer.adv Message-ID: <20030916123218.GA24162@folly> This is the 1st revision of the Advisory. This document can be found at: http://www.openssh.com/txt/buffer.adv 1. Versions affected: All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively. 2. Solution: Upgrade to OpenSSH 3.7 or apply the following patch. Appendix: Index: buffer.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/buffer.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- buffer.c 26 Jun 2002 08:54:18 -0000 1.16 +++ buffer.c 16 Sep 2003 03:03:47 -0000 1.17 @@ -69,6 +69,7 @@ void * buffer_append_space(Buffer *buffer, u_int len) { + u_int newlen; void *p; if (len > 0x100000) @@ -98,11 +99,13 @@ goto restart; } /* Increase the size of the buffer and retry. */ - buffer->alloc += len + 32768; - if (buffer->alloc > 0xa00000) + + newlen = buffer->alloc + len + 32768; + if (newlen > 0xa00000) fatal("buffer_append_space: alloc %u not supported", - buffer->alloc); - buffer->buf = xrealloc(buffer->buf, buffer->alloc); + newlen); + buffer->buf = xrealloc(buffer->buf, newlen); + buffer->alloc = newlen; goto restart; /* NOTREACHED */ } From markus at openbsd.org Wed Sep 17 09:13:10 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 17 Sep 2003 01:13:10 +0200 Subject: [openssh-unix-announce] OpenSSH 3.7.1 released Message-ID: <20030916231310.GA17404@folly> OpenSSH 3.7.1 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters. We have a new design of T-shirt available, more info on http://www.openbsd.org/tshirts.html#18 For international orders use https://https.openbsd.org/cgi-bin/order and for European orders, use https://https.openbsd.org/cgi-bin/order.eu Security Changes: ================= All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management errors. It is uncertain whether these errors are potentially exploitable, however, we prefer to see bugs fixed proactively. OpenSSH 3.7 fixed one of these bugs. OpenSSH 3.7.1 fixes more similar bugs. Changes since OpenSSH 3.6.1: ============================ * The entire OpenSSH code-base has undergone a license review. As a result, all non-ssh1.x code is under a BSD-style license with no advertising requirement. Please refer to README in the source distribution for the exact license terms. * Rhosts authentication has been removed in ssh(1) and sshd(8). * Changes in Kerberos support: - KerberosV password support now uses a file cache instead of a memory cache. - KerberosIV and AFS support has been removed. - KerberosV support has been removed from SSH protocol 1. - KerberosV password authentication support remains for SSH protocols 1 and 2. - This release contains some GSSAPI user authentication support to replace legacy KerberosV authentication support. At present this code is still considered experimental and SHOULD NOT BE USED. * Changed order that keys are tried in public key authentication. The ssh(1) client tries the keys in the following order: 1. ssh-agent(1) keys that are found in the ssh_config(5) file 2. remaining ssh-agent(1) keys 3. keys that are only listed in the ssh_config(5) file This helps when an ssh-agent(1) has many keys, where the sshd(8) server might close the connection before the correct key is tried. * SOCKS5 support has been added to the dynamic forwarding mode in ssh(1). * Removed implementation barriers to operation of SSH over SCTP. * sftp(1) client can now transfer files with quote characters in their filenames. * Replaced sshd(8)'s VerifyReverseMapping with UseDNS option. When UseDNS option is on, reverse hostname lookups are always performed. * Fix a number of memory leaks. * Support for sending tty BREAK over SSH protocol 2. * Workaround for other vendor bugs in KEX guess handling. * Support for generating KEX-GEX groups (/etc/moduli) in ssh-keygen(1). * Automatic re-keying based on amount of data sent over connection. * New AddressFamily option on client to select protocol to use (IPv4 or IPv6). * Experimental support for the "aes128-ctr", "aes192-ctr", and "aes256-ctr" ciphers for SSH protocol 2. * Experimental support for host keys in DNS (draft-ietf-secsh-dns-xx.txt). Please see README.dns in the source distribution for details. * Portable OpenSSH: - Replace PAM password authentication kludge with a more correct PAM challenge-response module from FreeBSD. - PAM support may now be enabled/disabled at runtime using the UsePAM directive. - Many improvements to the OpenSC smartcard support. - Regression tests now work with portable OpenSSH. Please refer to regress/README.regress in the source distribution. - On platforms that support it, portable OpenSSH now honors the UMASK, PATH and SUPATH attributes set in /etc/default/login. - Deny access to locked accounts, regardless of authentication method in use. Checksums: ========== - MD5 (openssh-3.7.1.tgz) = 3d2f1644d6a3d3267e5e2421f1385129 - MD5 (openssh-3.7.1p1.tar.gz) = f54e574e606c08ef63ebb1ab2f7689dc Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice. From markus at openbsd.org Wed Sep 17 09:14:05 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 17 Sep 2003 01:14:05 +0200 Subject: [openssh-unix-announce] OpenSSH Security Advisory: buffer.adv Message-ID: <20030916231405.GA13047@folly> This is the 2nd revision of the Advisory. This document can be found at: http://www.openssh.com/txt/buffer.adv 1. Versions affected: All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management errors. It is uncertain whether these errors are potentially exploitable, however, we prefer to see bugs fixed proactively. Other implementations sharing common origin may also have these issues. 2. Solution: Upgrade to OpenSSH 3.7.1 or apply the following patch. =================================================================== Appendix A: patch for OpenSSH 3.6.1 and earlier Index: buffer.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/buffer.c,v retrieving revision 1.16 retrieving revision 1.18 diff -u -r1.16 -r1.18 --- buffer.c 26 Jun 2002 08:54:18 -0000 1.16 +++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18 @@ -23,8 +23,11 @@ void buffer_init(Buffer *buffer) { - buffer->alloc = 4096; - buffer->buf = xmalloc(buffer->alloc); + const u_int len = 4096; + + buffer->alloc = 0; + buffer->buf = xmalloc(len); + buffer->alloc = len; buffer->offset = 0; buffer->end = 0; } @@ -34,8 +37,10 @@ void buffer_free(Buffer *buffer) { - memset(buffer->buf, 0, buffer->alloc); - xfree(buffer->buf); + if (buffer->alloc > 0) { + memset(buffer->buf, 0, buffer->alloc); + xfree(buffer->buf); + } } /* @@ -69,6 +74,7 @@ void * buffer_append_space(Buffer *buffer, u_int len) { + u_int newlen; void *p; if (len > 0x100000) @@ -98,11 +104,13 @@ goto restart; } /* Increase the size of the buffer and retry. */ - buffer->alloc += len + 32768; - if (buffer->alloc > 0xa00000) + + newlen = buffer->alloc + len + 32768; + if (newlen > 0xa00000) fatal("buffer_append_space: alloc %u not supported", - buffer->alloc); - buffer->buf = xrealloc(buffer->buf, buffer->alloc); + newlen); + buffer->buf = xrealloc(buffer->buf, newlen); + buffer->alloc = newlen; goto restart; /* NOTREACHED */ } Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.194 retrieving revision 1.195 diff -u -r1.194 -r1.195 --- channels.c 29 Aug 2003 10:04:36 -0000 1.194 +++ channels.c 16 Sep 2003 21:02:40 -0000 1.195 @@ -228,12 +228,13 @@ if (found == -1) { /* There are no free slots. Take last+1 slot and expand the array. */ found = channels_alloc; - channels_alloc += 10; if (channels_alloc > 10000) fatal("channel_new: internal error: channels_alloc %d " "too big.", channels_alloc); + channels = xrealloc(channels, + (channels_alloc + 10) * sizeof(Channel *)); + channels_alloc += 10; debug2("channel: expanding %d", channels_alloc); - channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); for (i = found; i < channels_alloc; i++) channels[i] = NULL; } =================================================================== Appendix B: patch for OpenSSH 3.7 Index: buffer.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/buffer.c,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- buffer.c 16 Sep 2003 03:03:47 -0000 1.17 +++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18 @@ -23,8 +23,11 @@ void buffer_init(Buffer *buffer) { - buffer->alloc = 4096; - buffer->buf = xmalloc(buffer->alloc); + const u_int len = 4096; + + buffer->alloc = 0; + buffer->buf = xmalloc(len); + buffer->alloc = len; buffer->offset = 0; buffer->end = 0; } @@ -34,8 +37,10 @@ void buffer_free(Buffer *buffer) { - memset(buffer->buf, 0, buffer->alloc); - xfree(buffer->buf); + if (buffer->alloc > 0) { + memset(buffer->buf, 0, buffer->alloc); + xfree(buffer->buf); + } } /* Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.194 retrieving revision 1.195 diff -u -r1.194 -r1.195 --- channels.c 29 Aug 2003 10:04:36 -0000 1.194 +++ channels.c 16 Sep 2003 21:02:40 -0000 1.195 @@ -228,12 +228,13 @@ if (found == -1) { /* There are no free slots. Take last+1 slot and expand the array. */ found = channels_alloc; - channels_alloc += 10; if (channels_alloc > 10000) fatal("channel_new: internal error: channels_alloc %d " "too big.", channels_alloc); + channels = xrealloc(channels, + (channels_alloc + 10) * sizeof(Channel *)); + channels_alloc += 10; debug2("channel: expanding %d", channels_alloc); - channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); for (i = found; i < channels_alloc; i++) channels[i] = NULL; } =================================================================== From djm at cvs.openbsd.org Tue Sep 23 22:39:50 2003 From: djm at cvs.openbsd.org (Damien Miller) Date: Tue, 23 Sep 2003 06:39:50 -0600 (MDT) Subject: [openssh-unix-announce] Portable OpenSSH 3.7.1p2 released Message-ID: <200309231239.h8NCdocm023804@cvs.openbsd.org> Portable OpenSSH 3.7.1p2 has just been released. It will be available from the mirrors listed at http://www.openssh.com/portable.html shortly. Please note that this is a release to address issues in the portable version only. The items mentioned below do not affect the OpenBSD version. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters. We have a new design of T-shirt available, more info on http://www.openbsd.org/tshirts.html#18 For international orders use http://https.openbsd.org/cgi-bin/order and for European orders, use http://https.openbsd.org/cgi-bin/order.eu Security Changes: ================= Portable OpenSSH version 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM authentication code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). OpenSSH 3.7.1p2 fixes these bugs. Please note that these bugs do not exist in OpenBSD's releases of OpenSSH. Changes since OpenSSH 3.7.1p1: ============================== * This release disables PAM by default. To enable it, set "UsePAM yes" in sshd_config. Due to complexity, inconsistencies in the specification and differences between vendors' PAM implementations we recommend that PAM be left disabled in sshd_config unless there is a need for its use. Sites using only public key or simple password authentication usually have little need to enable PAM support. * This release now requires zlib 1.1.4 to build correctly. Previous versions have security problems. * Fix compilation for versions of OpenSSL before 0.9.6. Some cipher modes are not supported for older OpenSSL versions. * Fix compilation problems on systems with a missing or lacking inet_ntoa() function. * Workaround problems related to unimplemented or broken setresuid/setreuid functions on several platforms. * Fix compilation on older OpenBSD systems. * Fix handling of password-less authentication (PermitEmptyPasswords=yes) that has not worked since the 3.7p1 release. Checksums: ========== - MD5 (openssh-3.7.1p2.tar.gz) = 61cf5b059938718308836d00f6764a94 Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice. From djm at cvs.openbsd.org Tue Sep 23 22:40:25 2003 From: djm at cvs.openbsd.org (Damien Miller) Date: Tue, 23 Sep 2003 06:40:25 -0600 (MDT) Subject: [openssh-unix-announce] Multiple PAM vulnerabilities in portable OpenSSH Message-ID: <200309231240.h8NCePCd025947@cvs.openbsd.org> Subject: Portable OpenSSH Security Advisory: sshpam.adv This document can be found at: http://www.openssh.com/txt/sshpam.adv 1. Versions affected: Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). The OpenBSD releases of OpenSSH do not contain this code and are not vulnerable. Older versions of portable OpenSSH are not vulnerable. 2. Solution: Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM support ("UsePam no" in sshd_config). Due to complexity, inconsistencies in the specification and differences between vendors' PAM implementations we recommend that PAM be left disabled in sshd_config unless there is a need for its use. Sites only using public key or simple password authentication usually have little need to enable PAM support. From djm at cvs.openbsd.org Tue Sep 23 22:40:25 2003 From: djm at cvs.openbsd.org (Damien Miller) Date: Tue, 23 Sep 2003 06:40:25 -0600 (MDT) Subject: [openssh-unix-announce] Multiple PAM vulnerabilities in portable OpenSSH Message-ID: <200309231240.h8NCePCd025947@cvs.openbsd.org> Subject: Portable OpenSSH Security Advisory: sshpam.adv This document can be found at: http://www.openssh.com/txt/sshpam.adv 1. Versions affected: Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). The OpenBSD releases of OpenSSH do not contain this code and are not vulnerable. Older versions of portable OpenSSH are not vulnerable. 2. Solution: Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM support ("UsePam no" in sshd_config). Due to complexity, inconsistencies in the specification and differences between vendors' PAM implementations we recommend that PAM be left disabled in sshd_config unless there is a need for its use. Sites only using public key or simple password authentication usually have little need to enable PAM support. From djm at cvs.openbsd.org Tue Sep 23 22:39:50 2003 From: djm at cvs.openbsd.org (Damien Miller) Date: Tue, 23 Sep 2003 06:39:50 -0600 (MDT) Subject: [openssh-unix-announce] Portable OpenSSH 3.7.1p2 released Message-ID: <200309231239.h8NCdocm023804@cvs.openbsd.org> Portable OpenSSH 3.7.1p2 has just been released. It will be available from the mirrors listed at http://www.openssh.com/portable.html shortly. Please note that this is a release to address issues in the portable version only. The items mentioned below do not affect the OpenBSD version. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters. We have a new design of T-shirt available, more info on http://www.openbsd.org/tshirts.html#18 For international orders use http://https.openbsd.org/cgi-bin/order and for European orders, use http://https.openbsd.org/cgi-bin/order.eu Security Changes: ================= Portable OpenSSH version 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM authentication code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). OpenSSH 3.7.1p2 fixes these bugs. Please note that these bugs do not exist in OpenBSD's releases of OpenSSH. Changes since OpenSSH 3.7.1p1: ============================== * This release disables PAM by default. To enable it, set "UsePAM yes" in sshd_config. Due to complexity, inconsistencies in the specification and differences between vendors' PAM implementations we recommend that PAM be left disabled in sshd_config unless there is a need for its use. Sites using only public key or simple password authentication usually have little need to enable PAM support. * This release now requires zlib 1.1.4 to build correctly. Previous versions have security problems. * Fix compilation for versions of OpenSSL before 0.9.6. Some cipher modes are not supported for older OpenSSL versions. * Fix compilation problems on systems with a missing or lacking inet_ntoa() function. * Workaround problems related to unimplemented or broken setresuid/setreuid functions on several platforms. * Fix compilation on older OpenBSD systems. * Fix handling of password-less authentication (PermitEmptyPasswords=yes) that has not worked since the 3.7p1 release. Checksums: ========== - MD5 (openssh-3.7.1p2.tar.gz) = 61cf5b059938718308836d00f6764a94 Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice. From djm at cvs.openbsd.org Tue Sep 23 22:39:50 2003 From: djm at cvs.openbsd.org (Damien Miller) Date: Tue, 23 Sep 2003 06:39:50 -0600 (MDT) Subject: [openssh-unix-announce] Portable OpenSSH 3.7.1p2 released Message-ID: <200309231239.h8NCdocm023804@cvs.openbsd.org> Portable OpenSSH 3.7.1p2 has just been released. It will be available from the mirrors listed at http://www.openssh.com/portable.html shortly. Please note that this is a release to address issues in the portable version only. The items mentioned below do not affect the OpenBSD version. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters. We have a new design of T-shirt available, more info on http://www.openbsd.org/tshirts.html#18 For international orders use http://https.openbsd.org/cgi-bin/order and for European orders, use http://https.openbsd.org/cgi-bin/order.eu Security Changes: ================= Portable OpenSSH version 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM authentication code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). OpenSSH 3.7.1p2 fixes these bugs. Please note that these bugs do not exist in OpenBSD's releases of OpenSSH. Changes since OpenSSH 3.7.1p1: ============================== * This release disables PAM by default. To enable it, set "UsePAM yes" in sshd_config. Due to complexity, inconsistencies in the specification and differences between vendors' PAM implementations we recommend that PAM be left disabled in sshd_config unless there is a need for its use. Sites using only public key or simple password authentication usually have little need to enable PAM support. * This release now requires zlib 1.1.4 to build correctly. Previous versions have security problems. * Fix compilation for versions of OpenSSL before 0.9.6. Some cipher modes are not supported for older OpenSSL versions. * Fix compilation problems on systems with a missing or lacking inet_ntoa() function. * Workaround problems related to unimplemented or broken setresuid/setreuid functions on several platforms. * Fix compilation on older OpenBSD systems. * Fix handling of password-less authentication (PermitEmptyPasswords=yes) that has not worked since the 3.7p1 release. Checksums: ========== - MD5 (openssh-3.7.1p2.tar.gz) = 61cf5b059938718308836d00f6764a94 Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice. From djm at cvs.openbsd.org Tue Sep 23 22:39:50 2003 From: djm at cvs.openbsd.org (Damien Miller) Date: Tue, 23 Sep 2003 06:39:50 -0600 (MDT) Subject: [openssh-unix-announce] Portable OpenSSH 3.7.1p2 released Message-ID: <200309231239.h8NCdocm023804@cvs.openbsd.org> Portable OpenSSH 3.7.1p2 has just been released. It will be available from the mirrors listed at http://www.openssh.com/portable.html shortly. Please note that this is a release to address issues in the portable version only. The items mentioned below do not affect the OpenBSD version. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters. We have a new design of T-shirt available, more info on http://www.openbsd.org/tshirts.html#18 For international orders use http://https.openbsd.org/cgi-bin/order and for European orders, use http://https.openbsd.org/cgi-bin/order.eu Security Changes: ================= Portable OpenSSH version 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM authentication code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). OpenSSH 3.7.1p2 fixes these bugs. Please note that these bugs do not exist in OpenBSD's releases of OpenSSH. Changes since OpenSSH 3.7.1p1: ============================== * This release disables PAM by default. To enable it, set "UsePAM yes" in sshd_config. Due to complexity, inconsistencies in the specification and differences between vendors' PAM implementations we recommend that PAM be left disabled in sshd_config unless there is a need for its use. Sites using only public key or simple password authentication usually have little need to enable PAM support. * This release now requires zlib 1.1.4 to build correctly. Previous versions have security problems. * Fix compilation for versions of OpenSSL before 0.9.6. Some cipher modes are not supported for older OpenSSL versions. * Fix compilation problems on systems with a missing or lacking inet_ntoa() function. * Workaround problems related to unimplemented or broken setresuid/setreuid functions on several platforms. * Fix compilation on older OpenBSD systems. * Fix handling of password-less authentication (PermitEmptyPasswords=yes) that has not worked since the 3.7p1 release. Checksums: ========== - MD5 (openssh-3.7.1p2.tar.gz) = 61cf5b059938718308836d00f6764a94 Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice. From djm at shitei.mindrot.org Wed Sep 24 11:24:42 2003 From: djm at shitei.mindrot.org (Damien Miller) Date: Wed, 24 Sep 2003 11:24:42 +1000 (EST) Subject: [openssh-unix-announce] Delay in anncouncements Message-ID: Apologies for the delay for the announcement messages to reach the list. For some reason the list manager (Mailman) decided that the messages needed approval twice.