scott_n at xypro
Feb 18, 2009, 8:36 AM
Post #1 of 1
(386 views)
Permalink
|
|
FW: Call for testing: openssh-5.2
|
|
Whoops -- sent to wrong address...
Mandriva 2008.1 openssh-SNAP-20090218 passes all tests.
> -----Original Message-----
> From: Scott Neugroschl
> Sent: Tuesday, February 17, 2009 10:06 AM
> To: Damien Miller
> Subject: RE: Call for testing: openssh-5.2
>
> Mandriva 2008.1 -- openssh-SNAP-20090218 passes
>
>
> -----Original Message-----
> From: openssh-unix-dev-bounces+scott_n=xypro.com [at] mindrot on behalf
> of Damien Miller
> Sent: Sun 2/15/2009 8:32 PM
> To: openssh-unix-dev [at] mindrot
> Subject: Call for testing: openssh-5.2
>
> Hi,
>
> OpenSSH 5.2 is almost ready for release, so we would appreciate
testing
> on as many platforms and systems as possible. This is primarily a bug-
> fix
> release, to follow the feature-focused 5.1 release.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev [at] mindrot
>
> Below is a summary of changes. More detail may be found in the
> ChangeLog in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
>
> Changes since OpenSSH 5.1
> =========================
>
> Security:
>
> * This release changes the default cipher order to prefer the AES CTR
> modes and the revised "arcfour256" mode to CBC mode ciphers that
are
> susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".
>
> * This release also adds countermeasures to mitigate
CPNI-957037-style
> attacks against the SSH protocol's use of CBC-mode ciphers. Upon
> detection of an invalid packet length or Message Authentication
> Code, ssh/sshd will continue reading up to the maximum supported
> packet length rather than immediately terminating the connection.
> This eliminates most of the known differences in behaviour that
> leaked information about the plaintext of injected data which
formed
> the basis of this attack. We believe that these attacks are
rendered
> infeasible by these changes.
>
> New features:
>
> * Added a -y option to ssh(1) to force logging to syslog rather than
> stderr, which is useful when running daemonised (ssh -f)
>
> * The sshd_config(5) ForceCommand directive now accepts commandline
> arguments for the internal-sftp server.
>
> * The ssh(1) ~C escape commandline now support runtime creation of
> dynamic (-D) port forwards.
>
> * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards.
> (bz#1482)
>
> * Support remote port forwarding with a listen port of '0'. This
> informs the server that it should dynamically allocate a listen
> port and report it back to the client. (bz#1003)
>
> * sshd(8) now supports setting PermitEmptyPasswords and
> AllowAgentForwarding in Match blocks
>
> Bug and documentation fixes
>
> * Repair a ssh(1) crash introduced in openssh-5.1 when the client is
> sent a zero-length banner (bz#1496)
>
> * Due to interoperability problems with certain
> broken SSH implementations, the eow [at] openssh and
> no-more-sessions [at] openssh protocol extensions are now only sent
> to peers that identify themselves as OpenSSH.
>
> * Make ssh(1) send the correct channel number for
> SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
> avoid triggering 'Non-public channel' error messages on sshd(8) in
> openssh-5.1.
>
> * Avoid printing 'Non-public channel' warnings in sshd(8), since the
> ssh(1) has sent incorrect channel numbers since ~2004 (this reverts
> a behaviour introduced in openssh-5.1).
>
> * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)
>
> * Correct fail-on-error behaviour in sftp(1) batchmode for remote
> stat operations. (bz#1541)
>
> * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
> connections. (bz#1543)
>
> * Avoid hang in ssh(1) when attempting to connect to a server that
> has MaxSessions=0 set.
>
> * Multiple fixes to sshd(8) configuration test (-T) mode
>
> * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418,
> 1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540
>
> * Many manual page improvements.
>
>
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev [at] mindrot
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
|
