Call for testing: OpenSSH 9.7
The Doctor
doctor at doctor.nl2k.ab.ca
Wed Mar 6 17:20:20 AEDT 2024
On Tue, Mar 05, 2024 at 11:24:28AM +1100, Damien Miller wrote:
>
> Hi,
>
> OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at mindrot.org. Security bugs should be reported
> directly to openssh at openssh.com.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Future deprecation notice
> =========================
>
> OpenSSH plans to remove support for the DSA signature algorithm in
> early 2025 and compile-time disable it later this year.
>
> DSA, as specified in the SSHv2 protocol, is inherently weak - being
> limited to a 160 bit private key and use of the SHA1 digest. Its
> estimated security level is only 80 bits symmetric equivalent.
>
> OpenSSH has disabled DSA keys by default since 2015 but has retained
> run-time optional support for them. DSA was the only mandatory-to-
> implement algorithm in the SSHv2 RFCs[3], mostly because alternative
> algorithms were encumbered by patents when the SSHv2 protocol was
> specified.
>
> This has not been the case for decades at this point and better
> algorithms are well supported by all actively-maintained SSH
> implementations. We do not consider the costs of maintaining DSA in
> OpenSSH to be justified and hope that removing it from OpenSSH can
> accelerate its wider deprecation in supporting cryptography
> libraries.
>
> This release makes DSA support in OpenSSH compile-time optional,
> defaulting to on. We intend the next release to change the default
> to disable DSA at compile time. The first OpenSSH release of 2025
> will remove DSA support entirely.
>
> Changes since OpenSSH 9.6
> =========================
>
> This release contains mostly bugfixes.
>
> New features
> ------------
>
> * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
> all open channels and will close all open channels if there is no
> traffic on any of them for the specified interval. This is in
> addition to the existing per-channel timeouts added recently.
>
> This supports situations like having both session and x11
> forwarding channels open where one may be idle for an extended
> period but the other is actively used. The global timeout could
> close both channels when both have been idle for too long.
>
> * All: make DSA key support compile-time optional, defaulting to on.
>
> Bugfixes
> --------
>
> * sshd(8): don't append an unnecessary space to the end of subsystem
> arguments (bz3667)
>
> * ssh(1): fix the multiplexing "channel proxy" mode, broken when
> keystroke timing obfuscation was added. (GHPR#463)
>
> * ssh(1), sshd(8): fix spurious configuration parsing errors when
> options that accept array arguments are overridden (bz3657).
>
> * Many fixes to manual pages and other documentation, including
> GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
>
> * Greatly improve interop testing against PuTTY.
>
> Portability
> -----------
>
> * Improve the error message when the autoconf OpenSSL header check
> fails (bz#3668)
>
> * Improve detection of broken toolchain -fzero-call-used-regs support
> (bz3645).
>
> * Fix regress/misc/fuzz-harness fuzzers and make them compile without
> warnings when using clang16
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Showstopper problem!
I want configure to work with /usr/local/bin/openssl and not /usr/bin/openssl
--
Member - Liberal International This is doctor at nk.ca Ici doctor at nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen
What worth the power of law that won't stop lawlessness? -unknown
More information about the openssh-unix-dev
mailing list