Call for testing: OpenSSH 7.3

Jeff Wieland wieland at purdue.edu
Sat Jul 30 02:10:24 AEST 2016 

Compiles and passes tests on SPARC Solaris 10, using our local
build of OpenSSL 1.0.2h.

Damien Miller wrote:
> Hi,
>
> OpenSSH 5.3 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains some
> substantial new features and a number of bugfixes.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Git at https://anongit.mindrot.org/openssh.git/
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Changes since OpenSSH 7.2
> =========================
>
> This is primarily a bugfix release.
>
> Security
> --------
>
>  * sshd(8): Mitigate a potential denial-of-service attack against
>    the system's crypt(3) function via sshd(8). An attacker could
>    send very long passwords that would cause excessive CPU use in
>    crypt(3). sshd(8) now refuses to accept password authentication
>    requests of length greater than 1024 characters. Independently
>    reported by Tomas Kuthan (Oracle) and curesec via coredump at
>    autistici.org.
>
>  * sshd(8): Mitigate timing differences in password authentication
>    that could be used to discern valid from invalid account names
>    when long passwords were sent and particular password hashing
>    algorithms are in use on the server. CVE-2016-6210, reported by
>    EddieEzra.Harari at verint.com
>
>  * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
>    oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
>    Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
>    are disabled by default and only included for legacy compatibility.
>
>  * ssh(1), sshd(8): Improve ordering ordering of MAC verification for
>    Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
>    MAC before decrypting any ciphertext. This removes the possibility
>    of timing differences leaking facts about the plaintext, though no
>    such leakage has been observed.  Reported by Jean Paul Degabriele,
>    Kenny Paterson, Torben Hansen and Martin Albrecht.
>     
>  * sshd(8): (portable only) Ignore PAM environment vars when
>    UseLogin=yes. If PAM is configured to read user-specified
>    environment variables and UseLogin=yes in sshd_config, then a
>    hostile local user may attack /bin/login via LD_PRELOAD or
>    similar environment variables set via PAM. CVE-2015-8325,
>    found by Shayan Sadigh.
>
> New Features
> ------------
>
>  * ssh(1): Add a ProxyJump option and corresponding -J command-line
>    flag to allow simplified indirection through a one or more SSH
>    bastions or "jump hosts".
>
>  * ssh(1): Add an IdentityAgent option to allow specifying specific
>    agent sockets instead of accepting one from the environment.
>     
>  * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
>    optionally overridden when using ssh -W. bz#2577
>
>  * ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as
>    per draft-sgtatham-secsh-iutf8-00.
>     
>  * ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman
>    2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
>
>  * ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
>    signatures in certificates;
>     
>  * ssh(1): Add an Include directive for ssh_config(5) files.
>
>  * ssh(1): Permit UTF-8 characters in pre-authentication banners sent
>    from the server. bz#2058
>
> Bugfixes
> --------
>
>  * ssh(1), sshd(8): Reduce the syslog level of some relatively common
>    protocol events from LOG_CRIT. bz#2585
>
>  * sshd(8): Refuse AuthenticationMethods="" in configurations and
>    accept AuthenticationMethods=any for the default behaviour of not
>    requiring multiple authentication. bz#2398
>
>  * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
>    ATTEMPT!" message when forward and reverse DNS don't match. bz#2585
>
>  * ssh(1): Close ControlPersist background process stderr except
>    in debug mode or when logging to syslog. bz#1988
>
>  * misc: Make PROTOCOL description for direct-streamlocal at openssh.com
>    channel open messages match deployed code. bz#2529
>
>  * ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
>    failures when both ExitOnForwardFailure and hostname
>    canonicalisation are enabled. bz#2562
>
>  * sshd(8): Remove fallback from moduli to obsolete "primes" file
>    that was deprecated in 2001. bz#2559.
>
>  * sshd_config(5): Correct description of UseDNS: it affects ssh
>    hostname processing for authorized_keys, not known_hosts; bz#2554
>     
>  * ssh(1): Fix authentication using lone certificate keys in an agent
>    without corresponding private keys on the filesystem. bz#2550
>
>  * sshd(8): Send ClientAliveInterval pings when a time-based
>    RekeyLimit is set; previously keepalive packets were not being
>    sent. bz#2252
>     
> Portability
> -----------
>
>  * ssh(1), sshd(8): Fix compilation by automatically disabling ciphers
>    not supported by OpenSSL. bz#2466
>
>  * misc: Fix compilation failures on some versions of AIX's compiler
>    related to the definition of the VA_COPY macro. bz#2589
>
>  * sshd(8): Whitelist more architectures to enable the seccomp-bpf
>    sandbox. bz#2590
>
>  * ssh-agent(1), sftp-server(8): Disable process tracing on Solaris
>    using setpflags(__PROC_PROTECT, ...). bz#2584
>
>  * sshd(8): On Solaris, don't call Solaris setproject() with
>    UsePAM=yes it's PAM's responsibility. bz#2425
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>   

-- 
          Jeff Wieland            |         Purdue University
   Network Systems Administrator  |        ITIS UNIX Platforms
       Voice: (765)496-8234       |        155 S. Grant Street
        FAX: (765)496-1380        |      West Lafayette, IN 47907

More information about the openssh-unix-dev mailing list