Call for testing: OpenSSH 7.7

The Doctor doctor at doctor.nl2k.ab.ca
Fri Mar 23 04:40:15 AEDT 2018


On Thu, Mar 22, 2018 at 02:42:46PM +1100, Damien Miller wrote:
> Hi,
> 
> OpenSSH 7.7p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
> 
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
> 
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
> 
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
> 
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> 
> $ ./configure && make tests
>



Looking good on FreeBSD 11.1 

failed copy of /bin/ls
cmp: EOF on /usr/source/openssh-SNAP-20180323/regress/copy
corrupted copy of /bin/ls
Exit request sent.
Exit request sent.
Exit request sent.
Exit request sent.
Exit request sent.
Exit request sent.
Exit request sent.
Exit request sent.
failed local and remote forwarding
*** Error code 1

Stop.
make[1]: stopped in /usr/source/openssh-SNAP-20180323/regress
*** Error code 1

Stop.
make: stopped in /usr/source/openssh-SNAP-20180323

crops up yet again.

Nice to see that openssl 1.1 is not integrated and that is mentioned in the compile
set up

on one server.  The other is all right!

> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at mindrot.org. Security bugs should be reported
> directly to openssh at openssh.com.
> 
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
> 
> Thanks to the many people who contributed to this release.
> 
> Potentially-incompatible changes
> ================================
> 
> This release includes a number of changes that may affect existing
> configurations:
> 
>  * ssh(1)/sshd(8): Drop compatibility support for some very old SSH
>    implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
>    These versions were all released in or before 2001 and predate the
>    final SSH RFCs. The support in question isn't necessary for RFC-
>    compliant SSH implementations.
> 
> Changes since OpenSSH 7.6
> =========================
> 
> This is primarily a bugfix release.
> 
> New Features
> ------------
> 
>  * All: Add experimental support for PQC XMSS keys (Extended Hash-
>    Based Signatures) based on the algorithm described in
>    https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
>    The XMSS signature code is experimental and not compiled in by
>    default.
> 
>  * sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword
>    to allow conditional configuration that depends on which routing
>    domain a connection was received on (currently supported on OpenBSD
>    and Linux).
> 
>  * sshd_config(5): Add an optional rdomain qualifier to the
>    ListenAddress directive to allow listening on different routing
>    domains. This is supported only on OpenBSD and Linux at present.
> 
>  * sshd_config(5): Add RDomain directive to allow the authenticated
>    session to be placed in an explicit routing domain. This is only
>    supported on OpenBSD at present.
> 
>  * sshd(8): Add "expiry-time" option for authorized_keys files to
>    allow for expiring keys.
> 
>  * ssh(1): Add a BindInterface option to allow binding the outgoing
>    connection to an interface's address (basically a more usable
>    BindAddress)
> 
>  * ssh(1): Expose device allocated for tun/tap forwarding via a new
>    %T expansion for LocalCommand. This allows LocalCommand to be used
>    to prepare the interface.
> 
>  * sshd(8): Expose the device allocated for tun/tap forwarding via a
>    new SSH_TUNNEL environment variable. This allows automatic setup of
>    the interface and surrounding network configuration automatically on
>    the server.
> 
>  * ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
>    ssh://user@host or sftp://user@host/path.  Additional connection
>    parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
>    implemented since the ssh fingerprint format in the draft uses the
>    deprecated MD5 hash with no way to specify the any other algorithm.
> 
>  * ssh-keygen(1): Allow certificate validity intervals that specify
>    only a start or stop time (instead of both or neither).
> 
>  * sftp(1): Allow "cd" and "lcd" commands with no explicit path
>    argument. lcd will change to the local user's home directory as
>    usual. cd will change to the starting directory for session (because
>    the protocol offers no way to obtain the remote user's home
>    directory). bz#2760
> 
>  * sshd(8): When doing a config test with sshd -T, only require the
>    attributes that are actually used in Match criteria rather than (an
>    incomplete list of) all criteria.
> 
>  * sshd(8): Fix support for client that advertise a protocol version
>    of "1.99" (indicating that they are prepared to accept both SSHv1 and
>    SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1
>    support. bz#2810
> 
> Bugfixes
> --------
> 
>  * ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when
>    a rsa-sha2-256/512 signature was requested. This condition is possible
>    when an old or non-OpenSSH agent is in use. bz#2799
> 
>  * ssh(1)/sshd(8): More strictly check signature types during key
>    exchange against what was negotiated. Prevents downgrade of RSA
>    signatures made with SHA-256/512 to SHA-1.
> 
>  * ssh-agent(1): Fix regression introduce in 7.6 that caused ssh-agent
>    to fatally exit if presented an invalid signature request message.
> 
>  * sshd_config(5): Accept yes/no flag options case-insensitively, as
>    has been the case in ssh_config(5) for a long time. bz#2664
> 
>  * ssh(1): Improve error reporting for failures during connection.
>    Under some circumstances misleading errors were being shows. bz#2814
> 
>  * ssh-keyscan(1): Add -D option to allow printing of results directly
>    in SSHFP format. bz#2821
> 
>  * regress tests: fix PuTTY interop test broken in last release's SSHv1
>    removal. bz#2823
> 
>  * ssh(1): Compatibility fix for some servers that erroneously drop the
>    connection when the IUTF8 (RFC8160) option is sent.
> 
>  * scp(1): Disable RemoteCommand and RequestTTY in the ssh session
>    started by scp (sftp was already doing this.)
> 
>  * ssh-keygen(1): Refuse to create a certificate with an unusable
>    number of principals.
> 
>  * ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the
>    public key during key generation. Previously it would silently
>    ignore errors writing the comment and terminating newline.
> 
>  * ssh(1): Do not modify hostname arguments that are addresses by
>    automatically forcing them to lower-case. Instead canonicalise them
>    to resolve ambiguities (e.g. ::0001 => ::1) before they are matched
>    against known_hosts. bz#2763
> 
>  * ssh(1): Don't accept junk after "yes" or "no" responses to hostkey
>    prompts. bz#2803
> 
>  * sftp(1): Have sftp print a warning about shell cleanliness when
>    decoding the first packet fails, which is usually caused by shells
>    polluting stdout of non-interactive startups. bz#2800
> 
>  * ssh(1)/sshd(8): Switch timers in packet code from using wall-clock
>    time to monotonic time, allowing the packet layer to better function
>    over a clock step and avoiding possible integer overflows during
>    steps.
> 
>  * Numerous manual page fixes and improvements.
> 
> Portability
> -----------
> 
>  * sshd(8): Correctly detect MIPS ABI in use at configure time. Fixes
>    sandbox violations on some environments.
> 
>  * sshd(8): Remove UNICOS support. The hardware and software are literal
>    museum pieces and support in sshd is too intrusive to justify
>    maintaining.
> 
>  * All: Build and link with "retpoline" flags when available to mitigate
>    the "branch target injection" style (variant 2) of the Spectre
>    branch-prediction vulnerability.
> 
>  * All: Add auto-generated dependency information to Makefile.
> 
>  * Numerous fixed to the RPM spec files.
> 
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b  Look at Psalms 14 and 53 on Atheism
Always seek out the seed of triumph in every adversity.  -Og Mandino


More information about the openssh-unix-dev mailing list