Call for testing: OpenSSH 9.4

Corinna Vinschen vinschen at redhat.com
Wed Aug 2 08:37:18 AEST 2023


Hi Damien,


Builds fine on Cygwin, all tests pass.


Thanks,
Corinna


On Jul 31 16:12, Damien Miller wrote:
> Hi,
> 
> OpenSSH 9.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
> 
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
> 
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
> 
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
> 
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> 
> $ ./configure && make tests
> 
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at mindrot.org. Security bugs should be reported
> directly to openssh at openssh.com.
> 
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
> 
> Thanks to the many people who contributed to this release.
> 
> Changes since OpenSSH 9.3p2
> ===========================
> 
> This release fixes a number of bugs and adds some small features.
> 
> Potentially incompatible changes
> --------------------------------
> 
>  * This release removes support for older versions of libcrypto.
>    OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1.
>    Note that these versions are already deprecated by their upstream
>    vendors.
> 
>  * ssh-agent(1): PKCS#11 modules must now be specified by their full
>    paths. Previously dlopen(3) could search for them in system
>    library directories.
> 
> New features
> ------------
> 
>  * ssh(1): allow forwarding Unix Domain sockets via ssh -W.
> 
>  * ssh(1): add support for configuration tags to ssh(1).
>    This adds a ssh_config(5) "Tag" directive and corresponding
>    "Match tag" predicate that may be used to select blocks of
>    configuration similar to the pf.conf(5) keywords of the same
>    name.
> 
>  * ssh(1): add a "match localnetwork" predicate. This allows matching
>    on the addresses of available network interfaces and may be used to
>    vary the effective client configuration based on network location.
> 
>  * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
>    extensions.  This defines wire formats for optional KRL extensions
>    and implements parsing of the new submessages. No actual extensions
>    are supported at this point.
> 
>  * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
>    accept two additional %-expansion sequences: %D which expands to
>    the routing domain of the connected session and %C which expands
>    to the addresses and port numbers for the source and destination
>    of the connection.
> 
>  * ssh-keygen(1): increase the default work factor (rounds) for the
>    bcrypt KDF used to derive symmetric encryption keys for passphrase
>    protected key files by 50%.
> 
> Bugfixes
> --------
> 
>  * ssh-agent(1): improve isolation between loaded PKCS#11 modules
>    by running seperate ssh-pkcs11-helpers for each loaded provider.
> 
>  * ssh(1): make -f (fork after authentication) work correctly with
>    multiplexed connections, including ControlPersist. bz3589 bz3589
> 
>  * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
>    modules being loaded by checking that the requested module
>    contains the required symbol before loading it.
> 
>  * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
>    appears before it in sshd_config. Since OpenSSH 8.7 the
>    AuthorizedPrincipalsCommand directive was incorrectly ignored in
>    this situation. bz3574
> 
>  * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL
>    signatures When the KRL format was originally defined, it included
>    support for signing of KRL objects. However, the code to sign KRLs
>    and verify KRL signatues was never completed in OpenSSH. This
>    release removes the partially-implemented code to verify KRLs.
>    All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
>    KRL files.
> 
>  * All: fix a number of memory leaks and unreachable/harmless integer
>    overflows.
> 
>  * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
>    modules; GHPR406
> 
>  * sshd(8), ssh(1): better validate CASignatureAlgorithms in
>    ssh_config and sshd_config. Previously this directive would accept
>    certificate algorithm names, but these were unusable in practice as
>    OpenSSH does not support CA chains. bz3577
> 
>  * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
>    algorithms that are valid for CA signing. Previous behaviour was
>    to list all signing algorithms, including certificate algorithms.
> 
>  * ssh-keyscan(1): gracefully handle systems where rlimits or the
>    maximum number of open files is larger than INT_MAX; bz3581
> 
>  * ssh-keygen(1): fix "no comment" not showing on when running
>    `ssh-keygen -l` on multiple keys where one has a comment and other
>    following keys do not. bz3580
> 
>  * scp(1), sftp(1): adjust ftruncate() logic to handle servers that
>    reorder requests. Previously, if the server reordered requests then
>    the resultant file would be erroneously truncated.
> 
>  * ssh(1): don't incorrectly disable hostname canonicalization when
>    CanonicalizeHostname=yes and ProxyJump was expicitly set to
>    "none". bz3567
> 
>  * scp(1): when copying local->remote, check that the source file
>    exists before opening an SFTP connection to the server. Based on
>    GHPR#370
> 
> Portability
> -----------
> 
>  * All: a number of build fixes for various platforms and
>    configuration combinations.
> 
>  * sshd(8): provide a replacement for the SELinux matchpathcon()
>    function, which is deprecated.
> 
>  * All: relax libcrypto version checks for OpenSSL >=3. Beyond
>    OpenSSL 3.0, the ABI compatibility guarantees are wider (only
>    the library major must match instead of major and minor in
>    earlier versions).  bz#3548.
> 
>  * Tests: fix build problems for the sk-dummy.so FIDO provider module
>    used in some tests.
> 
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list