FW: Call for testing: openssh-5.2

Scott Neugroschl scott_n at xypro.com
Thu Feb 19 03:36:28 EST 2009 

Whoops -- sent to wrong address...

Mandriva 2008.1 openssh-SNAP-20090218 passes all tests.

> -----Original Message-----
> From: Scott Neugroschl
> Sent: Tuesday, February 17, 2009 10:06 AM
> To: Damien Miller
> Subject: RE: Call for testing: openssh-5.2
> 
> Mandriva 2008.1 -- openssh-SNAP-20090218 passes
> 
> 
> -----Original Message-----
> From: openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org on behalf
> of Damien Miller
> Sent: Sun 2/15/2009 8:32 PM
> To: openssh-unix-dev at mindrot.org
> Subject: Call for testing: openssh-5.2
> 
> Hi,
> 
> OpenSSH 5.2 is almost ready for release, so we would appreciate
testing
> on as many platforms and systems as possible. This is primarily a bug-
> fix
> release, to follow the feature-focused 5.1 release.
> 
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
> 
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
> 
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs
> 
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> 
> $ ./configure && make tests
> 
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
> 
> Below is a summary of changes. More detail may be found in the
> ChangeLog in the portable OpenSSH tarballs.
> 
> Thanks to the many people who contributed to this release.
> 
> 
> Changes since OpenSSH 5.1
> =========================
> 
> Security:
> 
>  * This release changes the default cipher order to prefer the AES CTR
>    modes and the revised "arcfour256" mode to CBC mode ciphers that
are
>    susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".
> 
>  * This release also adds countermeasures to mitigate
CPNI-957037-style
>    attacks against the SSH protocol's use of CBC-mode ciphers. Upon
>    detection of an invalid packet length or Message Authentication
>    Code, ssh/sshd will continue reading up to the maximum supported
>    packet length rather than immediately terminating the connection.
>    This eliminates most of the known differences in behaviour that
>    leaked information about the plaintext of injected data which
formed
>    the basis of this attack. We believe that these attacks are
rendered
>    infeasible by these changes.
> 
> New features:
> 
>  * Added a -y option to ssh(1) to force logging to syslog rather than
>    stderr, which is useful when running daemonised (ssh -f)
> 
>  * The sshd_config(5) ForceCommand directive now accepts commandline
>    arguments for the internal-sftp server.
> 
>  * The ssh(1) ~C escape commandline now support runtime creation of
>    dynamic (-D) port forwards.
> 
>  * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards.
>    (bz#1482)
> 
>  * Support remote port forwarding with a listen port of '0'. This
>    informs the server that it should dynamically allocate a listen
>    port and report it back to the client. (bz#1003)
> 
>  * sshd(8) now supports setting PermitEmptyPasswords and
>    AllowAgentForwarding in Match blocks
> 
> Bug and documentation fixes
> 
>  * Repair a ssh(1) crash introduced in openssh-5.1 when the client is
>    sent a zero-length banner (bz#1496)
> 
>  * Due to interoperability problems with certain
>    broken SSH implementations, the eow at openssh.com and
>    no-more-sessions at openssh.com protocol extensions are now only sent
>    to peers that identify themselves as OpenSSH.
> 
>  * Make ssh(1) send the correct channel number for
>    SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
>    avoid triggering 'Non-public channel' error messages on sshd(8) in
>    openssh-5.1.
> 
>  * Avoid printing 'Non-public channel' warnings in sshd(8), since the
>    ssh(1) has sent incorrect channel numbers since ~2004 (this reverts
>    a behaviour introduced in openssh-5.1).
> 
>  * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)
> 
>  * Correct fail-on-error behaviour in sftp(1) batchmode for remote
>    stat operations. (bz#1541)
> 
>  * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
>    connections. (bz#1543)
> 
>  * Avoid hang in ssh(1) when attempting to connect to a server that
>    has MaxSessions=0 set.
> 
>  * Multiple fixes to sshd(8) configuration test (-T) mode
> 
>  * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418,
>    1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540
> 
>  * Many manual page improvements.
> 
> 
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list