Call for testing: OpenSSH 9.4
Felix Fehlauer
felix.fehlauer at fs.ei.tum.de
Thu Aug 3 02:53:02 AEST 2023
Hi Damien,
Build and tests have passed on Fedora Linux 38 and openSUSE Tumbleweed.
Thanks
On 7/31/23 08:12, Damien Miller wrote:
> Hi,
>
> OpenSSH 9.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at mindrot.org. Security bugs should be reported
> directly to openssh at openssh.com.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Changes since OpenSSH 9.3p2
> ===========================
>
> This release fixes a number of bugs and adds some small features.
>
> Potentially incompatible changes
> --------------------------------
>
> * This release removes support for older versions of libcrypto.
> OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1.
> Note that these versions are already deprecated by their upstream
> vendors.
>
> * ssh-agent(1): PKCS#11 modules must now be specified by their full
> paths. Previously dlopen(3) could search for them in system
> library directories.
>
> New features
> ------------
>
> * ssh(1): allow forwarding Unix Domain sockets via ssh -W.
>
> * ssh(1): add support for configuration tags to ssh(1).
> This adds a ssh_config(5) "Tag" directive and corresponding
> "Match tag" predicate that may be used to select blocks of
> configuration similar to the pf.conf(5) keywords of the same
> name.
>
> * ssh(1): add a "match localnetwork" predicate. This allows matching
> on the addresses of available network interfaces and may be used to
> vary the effective client configuration based on network location.
>
> * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
> extensions. This defines wire formats for optional KRL extensions
> and implements parsing of the new submessages. No actual extensions
> are supported at this point.
>
> * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
> accept two additional %-expansion sequences: %D which expands to
> the routing domain of the connected session and %C which expands
> to the addresses and port numbers for the source and destination
> of the connection.
>
> * ssh-keygen(1): increase the default work factor (rounds) for the
> bcrypt KDF used to derive symmetric encryption keys for passphrase
> protected key files by 50%.
>
> Bugfixes
> --------
>
> * ssh-agent(1): improve isolation between loaded PKCS#11 modules
> by running seperate ssh-pkcs11-helpers for each loaded provider.
>
> * ssh(1): make -f (fork after authentication) work correctly with
> multiplexed connections, including ControlPersist. bz3589 bz3589
>
> * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
> modules being loaded by checking that the requested module
> contains the required symbol before loading it.
>
> * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
> appears before it in sshd_config. Since OpenSSH 8.7 the
> AuthorizedPrincipalsCommand directive was incorrectly ignored in
> this situation. bz3574
>
> * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL
> signatures When the KRL format was originally defined, it included
> support for signing of KRL objects. However, the code to sign KRLs
> and verify KRL signatues was never completed in OpenSSH. This
> release removes the partially-implemented code to verify KRLs.
> All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
> KRL files.
>
> * All: fix a number of memory leaks and unreachable/harmless integer
> overflows.
>
> * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
> modules; GHPR406
>
> * sshd(8), ssh(1): better validate CASignatureAlgorithms in
> ssh_config and sshd_config. Previously this directive would accept
> certificate algorithm names, but these were unusable in practice as
> OpenSSH does not support CA chains. bz3577
>
> * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
> algorithms that are valid for CA signing. Previous behaviour was
> to list all signing algorithms, including certificate algorithms.
>
> * ssh-keyscan(1): gracefully handle systems where rlimits or the
> maximum number of open files is larger than INT_MAX; bz3581
>
> * ssh-keygen(1): fix "no comment" not showing on when running
> `ssh-keygen -l` on multiple keys where one has a comment and other
> following keys do not. bz3580
>
> * scp(1), sftp(1): adjust ftruncate() logic to handle servers that
> reorder requests. Previously, if the server reordered requests then
> the resultant file would be erroneously truncated.
>
> * ssh(1): don't incorrectly disable hostname canonicalization when
> CanonicalizeHostname=yes and ProxyJump was expicitly set to
> "none". bz3567
>
> * scp(1): when copying local->remote, check that the source file
> exists before opening an SFTP connection to the server. Based on
> GHPR#370
>
> Portability
> -----------
>
> * All: a number of build fixes for various platforms and
> configuration combinations.
>
> * sshd(8): provide a replacement for the SELinux matchpathcon()
> function, which is deprecated.
>
> * All: relax libcrypto version checks for OpenSSL >=3. Beyond
> OpenSSL 3.0, the ABI compatibility guarantees are wider (only
> the library major must match instead of major and minor in
> earlier versions). bz#3548.
>
> * Tests: fix build problems for the sk-dummy.so FIDO provider module
> used in some tests.
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list