Call for testing: OpenSSH 9.4

Felix Fehlauer felix.fehlauer at fs.ei.tum.de
Thu Aug 3 02:53:02 AEST 2023


Hi Damien,

Build and tests have passed on Fedora Linux 38 and openSUSE Tumbleweed.

Thanks

On 7/31/23 08:12, Damien Miller wrote:
> Hi,
> 
> OpenSSH 9.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
> 
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
> 
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
> 
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
> 
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> 
> $ ./configure && make tests
> 
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at mindrot.org. Security bugs should be reported
> directly to openssh at openssh.com.
> 
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
> 
> Thanks to the many people who contributed to this release.
> 
> Changes since OpenSSH 9.3p2
> ===========================
> 
> This release fixes a number of bugs and adds some small features.
> 
> Potentially incompatible changes
> --------------------------------
> 
>   * This release removes support for older versions of libcrypto.
>     OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1.
>     Note that these versions are already deprecated by their upstream
>     vendors.
> 
>   * ssh-agent(1): PKCS#11 modules must now be specified by their full
>     paths. Previously dlopen(3) could search for them in system
>     library directories.
> 
> New features
> ------------
> 
>   * ssh(1): allow forwarding Unix Domain sockets via ssh -W.
> 
>   * ssh(1): add support for configuration tags to ssh(1).
>     This adds a ssh_config(5) "Tag" directive and corresponding
>     "Match tag" predicate that may be used to select blocks of
>     configuration similar to the pf.conf(5) keywords of the same
>     name.
> 
>   * ssh(1): add a "match localnetwork" predicate. This allows matching
>     on the addresses of available network interfaces and may be used to
>     vary the effective client configuration based on network location.
> 
>   * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
>     extensions.  This defines wire formats for optional KRL extensions
>     and implements parsing of the new submessages. No actual extensions
>     are supported at this point.
> 
>   * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
>     accept two additional %-expansion sequences: %D which expands to
>     the routing domain of the connected session and %C which expands
>     to the addresses and port numbers for the source and destination
>     of the connection.
> 
>   * ssh-keygen(1): increase the default work factor (rounds) for the
>     bcrypt KDF used to derive symmetric encryption keys for passphrase
>     protected key files by 50%.
> 
> Bugfixes
> --------
> 
>   * ssh-agent(1): improve isolation between loaded PKCS#11 modules
>     by running seperate ssh-pkcs11-helpers for each loaded provider.
> 
>   * ssh(1): make -f (fork after authentication) work correctly with
>     multiplexed connections, including ControlPersist. bz3589 bz3589
> 
>   * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
>     modules being loaded by checking that the requested module
>     contains the required symbol before loading it.
> 
>   * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
>     appears before it in sshd_config. Since OpenSSH 8.7 the
>     AuthorizedPrincipalsCommand directive was incorrectly ignored in
>     this situation. bz3574
> 
>   * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL
>     signatures When the KRL format was originally defined, it included
>     support for signing of KRL objects. However, the code to sign KRLs
>     and verify KRL signatues was never completed in OpenSSH. This
>     release removes the partially-implemented code to verify KRLs.
>     All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
>     KRL files.
> 
>   * All: fix a number of memory leaks and unreachable/harmless integer
>     overflows.
> 
>   * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
>     modules; GHPR406
> 
>   * sshd(8), ssh(1): better validate CASignatureAlgorithms in
>     ssh_config and sshd_config. Previously this directive would accept
>     certificate algorithm names, but these were unusable in practice as
>     OpenSSH does not support CA chains. bz3577
> 
>   * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
>     algorithms that are valid for CA signing. Previous behaviour was
>     to list all signing algorithms, including certificate algorithms.
> 
>   * ssh-keyscan(1): gracefully handle systems where rlimits or the
>     maximum number of open files is larger than INT_MAX; bz3581
> 
>   * ssh-keygen(1): fix "no comment" not showing on when running
>     `ssh-keygen -l` on multiple keys where one has a comment and other
>     following keys do not. bz3580
> 
>   * scp(1), sftp(1): adjust ftruncate() logic to handle servers that
>     reorder requests. Previously, if the server reordered requests then
>     the resultant file would be erroneously truncated.
> 
>   * ssh(1): don't incorrectly disable hostname canonicalization when
>     CanonicalizeHostname=yes and ProxyJump was expicitly set to
>     "none". bz3567
> 
>   * scp(1): when copying local->remote, check that the source file
>     exists before opening an SFTP connection to the server. Based on
>     GHPR#370
> 
> Portability
> -----------
> 
>   * All: a number of build fixes for various platforms and
>     configuration combinations.
> 
>   * sshd(8): provide a replacement for the SELinux matchpathcon()
>     function, which is deprecated.
> 
>   * All: relax libcrypto version checks for OpenSSL >=3. Beyond
>     OpenSSL 3.0, the ABI compatibility guarantees are wider (only
>     the library major must match instead of major and minor in
>     earlier versions).  bz#3548.
> 
>   * Tests: fix build problems for the sk-dummy.so FIDO provider module
>     used in some tests.
> 
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list