Call for testing: OpenSSH 7.3
The Doctor
doctor at doctor.nl2k.ab.ca
Fri Jul 22 14:51:17 AEST 2016
On Fri, Jul 22, 2016 at 02:40:04PM +1000, Damien Miller wrote:
> Hi,
>
> OpenSSH 5.3 is almost ready for release, so we would appreciate testing
^
Huh?
> on as many platforms and systems as possible. This release contains some
> substantial new features and a number of bugfixes.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Git at https://anongit.mindrot.org/openssh.git/
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Changes since OpenSSH 7.2
> =========================
>
> This is primarily a bugfix release.
>
> Security
> --------
>
> * sshd(8): Mitigate a potential denial-of-service attack against
> the system's crypt(3) function via sshd(8). An attacker could
> send very long passwords that would cause excessive CPU use in
> crypt(3). sshd(8) now refuses to accept password authentication
> requests of length greater than 1024 characters. Independently
> reported by Tomas Kuthan (Oracle) and curesec via coredump at
> autistici.org.
>
> * sshd(8): Mitigate timing differences in password authentication
> that could be used to discern valid from invalid account names
> when long passwords were sent and particular password hashing
> algorithms are in use on the server. CVE-2016-6210, reported by
> EddieEzra.Harari at verint.com
>
> * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
> oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
> Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
> are disabled by default and only included for legacy compatibility.
>
> * ssh(1), sshd(8): Improve ordering ordering of MAC verification for
> Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
> MAC before decrypting any ciphertext. This removes the possibility
> of timing differences leaking facts about the plaintext, though no
> such leakage has been observed. Reported by Jean Paul Degabriele,
> Kenny Paterson, Torben Hansen and Martin Albrecht.
>
> * sshd(8): (portable only) Ignore PAM environment vars when
> UseLogin=yes. If PAM is configured to read user-specified
> environment variables and UseLogin=yes in sshd_config, then a
> hostile local user may attack /bin/login via LD_PRELOAD or
> similar environment variables set via PAM. CVE-2015-8325,
> found by Shayan Sadigh.
>
> New Features
> ------------
>
> * ssh(1): Add a ProxyJump option and corresponding -J command-line
> flag to allow simplified indirection through a one or more SSH
> bastions or "jump hosts".
>
> * ssh(1): Add an IdentityAgent option to allow specifying specific
> agent sockets instead of accepting one from the environment.
>
> * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
> optionally overridden when using ssh -W. bz#2577
>
> * ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as
> per draft-sgtatham-secsh-iutf8-00.
>
> * ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman
> 2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
>
> * ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
> signatures in certificates;
>
> * ssh(1): Add an Include directive for ssh_config(5) files.
>
> * ssh(1): Permit UTF-8 characters in pre-authentication banners sent
> from the server. bz#2058
>
> Bugfixes
> --------
>
> * ssh(1), sshd(8): Reduce the syslog level of some relatively common
> protocol events from LOG_CRIT. bz#2585
>
> * sshd(8): Refuse AuthenticationMethods="" in configurations and
> accept AuthenticationMethods=any for the default behaviour of not
> requiring multiple authentication. bz#2398
>
> * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
> ATTEMPT!" message when forward and reverse DNS don't match. bz#2585
>
> * ssh(1): Close ControlPersist background process stderr except
> in debug mode or when logging to syslog. bz#1988
>
> * misc: Make PROTOCOL description for direct-streamlocal at openssh.com
> channel open messages match deployed code. bz#2529
>
> * ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
> failures when both ExitOnForwardFailure and hostname
> canonicalisation are enabled. bz#2562
>
> * sshd(8): Remove fallback from moduli to obsolete "primes" file
> that was deprecated in 2001. bz#2559.
>
> * sshd_config(5): Correct description of UseDNS: it affects ssh
> hostname processing for authorized_keys, not known_hosts; bz#2554
>
> * ssh(1): Fix authentication using lone certificate keys in an agent
> without corresponding private keys on the filesystem. bz#2550
>
> * sshd(8): Send ClientAliveInterval pings when a time-based
> RekeyLimit is set; previously keepalive packets were not being
> sent. bz#2252
>
> Portability
> -----------
>
> * ssh(1), sshd(8): Fix compilation by automatically disabling ciphers
> not supported by OpenSSL. bz#2466
>
> * misc: Fix compilation failures on some versions of AIX's compiler
> related to the definition of the VA_COPY macro. bz#2589
>
> * sshd(8): Whitelist more architectures to enable the seccomp-bpf
> sandbox. bz#2590
>
> * ssh-agent(1), sftp-server(8): Disable process tracing on Solaris
> using setpflags(__PROC_PROTECT, ...). bz#2584
>
> * sshd(8): On Solaris, don't call Solaris setproject() with
> UsePAM=yes it's PAM's responsibility. bz#2425
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising!
http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism
Language is the source of misunderstandings. -Antoine de Saint-Exupery
More information about the openssh-unix-dev
mailing list