Call for testing: OpenSSH 7.5p1
Peter Moody
mindrot at hda3.com
Sat Mar 18 03:42:37 AEDT 2017
special snowflake reporting in. looks good here too.
thanks for all your hardwork, folks!
On Tue, Mar 14, 2017 at 3:40 AM, Damien Miller <djm at mindrot.org> wrote:
> Hi,
>
> OpenSSH 7.5p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Future deprecation notice
> =========================
>
> We plan on retiring more legacy cryptography in future releases,
> specifically:
>
> * In the next major release (expected June-August), removing remaining
> support for the SSH v.1 protocol (currently client-only and compile-
> time disabled).
>
> * In the same release, removing support for Blowfish and RC4 ciphers
> and the RIPE-MD160 HMAC. (These are currently run-time disabled).
>
> * In the same release, removing the remaining CBC ciphers from being
> offered by default in the client (These have not been offered in
> sshd by default for several years).
>
> * Refusing all RSA keys smaller than 1024 bits (the current minimum
> is 768 bits)
>
> This list reflects our current intentions, but please check the final
> release notes for future releases.
>
> Potentially-incompatible changes
> ================================
>
> This release includes a number of changes that may affect existing
> configurations:
>
> * This release deprecates the sshd_config UsePrivilegeSeparation
> option, thereby making privilege separation mandatory. Privilege
> separation has been on by default for almost 15 years.
>
> * The format of several log messages emitted by the packet code has
> changed to include additional information about the user and
> their authentication state. Software that monitors ssh/sshd logs
> may need to account for these changes. For example:
>
> Connection closed by user x 1.1.1.1 port 1234 [preauth]
> Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
> Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
>
> Affected messages include connection closure, timeout, remote
> disconnection, negotiation failure and some other fatal messages
> generated by the packet code.
>
> Changes since OpenSSH 7.4
> =========================
>
> This is a bugfix release.
>
> New Features
> ------------
>
> * ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
> algorithm lists, e.g. Ciphers=-*cbc. bz#2671
>
> Bugfixes
> --------
>
> * ssh(1), sshd(8): Allow form-feed characters to appear in
> configuration files.
>
> * sshd(8): Fix regression in OpenSSH 7.4 support for the
> server-sig-algs extension, where SHA2 RSA signature methods were
> not being correctly advertised. bz#2680
>
> * ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
> known_hosts processing. bz#2591 bz#2685
>
> * ssh(1): Allow ssh to use certificates accompanied by a private key
> file but no corresponding plain *.pub public key. bz#2617
>
> * ssh(1): When updating hostkeys using the UpdateHostKeys option,
> accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
> Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*
> methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
> method. bz#2650
>
> * ssh(1): Detect and report excessively long configuration file
> lines. bz#2651
>
> * Merge a number of fixes found by Coverity and reported via Redhat
> and FreeBSD. Includes fixes for some memory and file descriptor
> leaks in error paths. bz#2687
>
> * ssh-keyscan(1): Correctly hash hosts with a port number. bz#2692
>
> * ssh(1), sshd(8): When logging long messages to stderr, don't truncate
> "\r\n" if the length of the message exceeds the buffer. bz#2688
>
> * ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
> line; avoid confusion over IPv6 addresses and shells that treat
> square bracket characters specially.
>
> * ssh-keygen(1): Fix corruption of known_hosts when running
> "ssh-keygen -H" on a known_hosts containing already-hashed entries.
>
> * Fix various fallout and sharp edges caused by removing SSH protocol
> 1 support from the server, including the server banner string being
> incorrectly terminated with only \n (instead of \r\n), and
> confusing error messages from ssh-keyscan bz#2583.
>
> * ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683
>
> * sshd(8): Fix Unix domain socket forwarding for root (regression in
> OpenSSH 7.4).
>
> * sftp(1): Fix division by zero crash in "df" output when server
> returns zero total filesystem blocks/inodes.
>
> * ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
> encountered during key loading to more meaningful error codes.
> bz#2522 bz#2523
>
> * ssh-keygen(1): Sanitise escape sequences in key comments sent to
> printf but preserve valid UTF-8 when the locale supports it;
> bz#2520
>
> * ssh(1), sshd(8): Return reason for port forwarding failures where
> feasible rather than always "administratively prohibited". bz#2674
>
> * sshd(8): Fix deadlock when AuthorizedKeysCommand or
> AuthorizedPrincipalsCommand produces a lot of output and a key is
> matched early. bz#2655
>
> * Regression tests: several reliability fixes. bz#2654 bz#2658 bz#2659
>
> * ssh(1): Fix typo in ~C error message for bad port forward
> cancellation. bz#2672
>
> * ssh(1): Show a useful error message when included config files
> can't be opened; bz#2653
>
> * sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page
> (previously incorrectly) advertised. bz#2637
>
> * sshd_config(5): Repair accidentally-deleted mention of %k token
> in AuthorizedKeysCommand; bz#2656
>
> * sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM; bzbz#2665
>
> * ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
> common 32-bit compatibility library directories.
>
> * sftp-client(1): fix non-exploitable integer overflow in SSH2_FXP_NAME
> response handling.
>
> Portability
> -----------
>
> * sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA
> crypto coprocessor.
>
> * sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg
> inspection.
>
> * ssh(1): Fix X11 forwarding on OSX where X11 was being started by
> launchd. bz#2341
>
> * ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that
> contain non-printable characters where the codeset in use is ASCII.
>
> * build: Fix builds that attempt to link a kerberised libldns. bz#2603
>
> * build: Fix compilation problems caused by unconditionally defining
> _XOPEN_SOURCE in wide character detection.
>
> * sshd(8): Fix sandbox violations for clock_gettime VSDO syscall
> fallback on some Linux/X32 kernels. bz#2142
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list