Call for testing: OpenSSH 9.7

The Doctor doctor at doctor.nl2k.ab.ca
Wed Mar 6 17:20:20 AEDT 2024


On Tue, Mar 05, 2024 at 11:24:28AM +1100, Damien Miller wrote:
> 
> Hi,
> 
> OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
> 
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
> 
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
> 
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
> 
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> 
> $ ./configure && make tests
> 
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at mindrot.org. Security bugs should be reported
> directly to openssh at openssh.com.
> 
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
> 
> Thanks to the many people who contributed to this release.
> 
> Future deprecation notice
> =========================
> 
> OpenSSH plans to remove support for the DSA signature algorithm in
> early 2025 and compile-time disable it later this year.
> 
> DSA, as specified in the SSHv2 protocol, is inherently weak - being
> limited to a 160 bit private key and use of the SHA1 digest. Its
> estimated security level is only 80 bits symmetric equivalent.
> 
> OpenSSH has disabled DSA keys by default since 2015 but has retained
> run-time optional support for them. DSA was the only mandatory-to-
> implement algorithm in the SSHv2 RFCs[3], mostly because alternative
> algorithms were encumbered by patents when the SSHv2 protocol was
> specified.
> 
> This has not been the case for decades at this point and better
> algorithms are well supported by all actively-maintained SSH
> implementations. We do not consider the costs of maintaining DSA in
> OpenSSH to be justified and hope that removing it from OpenSSH can
> accelerate its wider deprecation in supporting cryptography
> libraries.
> 
> This release makes DSA support in OpenSSH compile-time optional,
> defaulting to on. We intend the next release to change the default
> to disable DSA at compile time. The first OpenSSH release of 2025
> will remove DSA support entirely.
> 
> Changes since OpenSSH 9.6
> =========================
> 
> This release contains mostly bugfixes.
> 
> New features
> ------------
> 
>  * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
>    all open channels and will close all open channels if there is no
>    traffic on any of them for the specified interval. This is in
>    addition to the existing per-channel timeouts added recently.
> 
>    This supports situations like having both session and x11
>    forwarding channels open where one may be idle for an extended
>    period but the other is actively used. The global timeout could
>    close both channels when both have been idle for too long.
> 
>  * All: make DSA key support compile-time optional, defaulting to on.
> 
> Bugfixes
> --------
> 
>  * sshd(8): don't append an unnecessary space to the end of subsystem
>    arguments (bz3667)
> 
>  * ssh(1): fix the multiplexing "channel proxy" mode, broken when
>    keystroke timing obfuscation was added. (GHPR#463)
> 
>  * ssh(1), sshd(8): fix spurious configuration parsing errors when
>    options that accept array arguments are overridden (bz3657).
> 
>  * Many fixes to manual pages and other documentation, including
>    GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
> 
>  * Greatly improve interop testing against PuTTY.
> 
> Portability
> -----------
> 
>  * Improve the error message when the autoconf OpenSSL header check
>    fails (bz#3668)
> 
>  * Improve detection of broken toolchain -fzero-call-used-regs support
>    (bz3645).
> 
>  * Fix regress/misc/fuzz-harness fuzzers and make them compile without
>    warnings when using clang16
> 
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


Showstopper problem!

I want configure to work with /usr/local/bin/openssl and not /usr/bin/openssl

-- 
Member - Liberal International This is doctor at nk.ca Ici doctor at nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen
What worth the power of law that won't stop lawlessness?  -unknown 


More information about the openssh-unix-dev mailing list