Re: Call for testing: OpenSSH 7.5p1

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



special snowflake reporting in. looks good here too.

thanks for all your hardwork, folks!

On Tue, Mar 14, 2017 at 3:40 AM, Damien Miller <djm@xxxxxxxxxxx> wrote:
> Hi,
>
> OpenSSH 7.5p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev@xxxxxxxxxxx.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Future deprecation notice
> =========================
>
> We plan on retiring more legacy cryptography in future releases,
> specifically:
>
>  * In the next major release (expected June-August), removing remaining
>    support for the SSH v.1 protocol (currently client-only and compile-
>    time disabled).
>
>  * In the same release, removing support for Blowfish and RC4 ciphers
>    and the RIPE-MD160 HMAC. (These are currently run-time disabled).
>
>  * In the same release, removing the remaining CBC ciphers from being
>    offered by default in the client (These have not been offered in
>    sshd by default for several years).
>
>  * Refusing all RSA keys smaller than 1024 bits (the current minimum
>    is 768 bits)
>
> This list reflects our current intentions, but please check the final
> release notes for future releases.
>
> Potentially-incompatible changes
> ================================
>
> This release includes a number of changes that may affect existing
> configurations:
>
>  * This release deprecates the sshd_config UsePrivilegeSeparation
>    option, thereby making privilege separation mandatory. Privilege
>    separation has been on by default for almost 15 years.
>
>  * The format of several log messages emitted by the packet code has
>    changed to include additional information about the user and
>    their authentication state. Software that monitors ssh/sshd logs
>    may need to account for these changes. For example:
>
>    Connection closed by user x 1.1.1.1 port 1234 [preauth]
>    Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
>    Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
>
>    Affected messages include connection closure, timeout, remote
>    disconnection, negotiation failure and some other fatal messages
>    generated by the packet code.
>
> Changes since OpenSSH 7.4
> =========================
>
> This is a bugfix release.
>
> New Features
> ------------
>
>  * ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
>    algorithm lists, e.g. Ciphers=-*cbc. bz#2671
>
> Bugfixes
> --------
>
>  * ssh(1), sshd(8): Allow form-feed characters to appear in
>    configuration files.
>
>  * sshd(8): Fix regression in OpenSSH 7.4 support for the
>    server-sig-algs extension, where SHA2 RSA signature methods were
>    not being correctly advertised. bz#2680
>
>  * ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
>    known_hosts processing. bz#2591 bz#2685
>
>  * ssh(1): Allow ssh to use certificates accompanied by a private key
>    file but no corresponding plain *.pub public key. bz#2617
>
>  * ssh(1): When updating hostkeys using the UpdateHostKeys option,
>    accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
>    Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*
>    methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
>    method. bz#2650
>
>  * ssh(1): Detect and report excessively long configuration file
>    lines. bz#2651
>
>  * Merge a number of fixes found by Coverity and reported via Redhat
>    and FreeBSD. Includes fixes for some memory and file descriptor
>    leaks in error paths. bz#2687
>
>  * ssh-keyscan(1): Correctly hash hosts with a port number. bz#2692
>
>  * ssh(1), sshd(8): When logging long messages to stderr, don't truncate
>    "\r\n" if the length of the message exceeds the buffer. bz#2688
>
>  * ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
>    line; avoid confusion over IPv6 addresses and shells that treat
>    square bracket characters specially.
>
>  * ssh-keygen(1): Fix corruption of known_hosts when running
>    "ssh-keygen -H" on a known_hosts containing already-hashed entries.
>
>  * Fix various fallout and sharp edges caused by removing SSH protocol
>    1 support from the server, including the server banner string being
>    incorrectly terminated with only \n (instead of \r\n), and
>    confusing error messages from ssh-keyscan bz#2583.
>
>  * ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683
>
>  * sshd(8): Fix Unix domain socket forwarding for root (regression in
>    OpenSSH 7.4).
>
>  * sftp(1): Fix division by zero crash in "df" output when server
>    returns zero total filesystem blocks/inodes.
>
>  * ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
>    encountered during key loading to more meaningful error codes.
>    bz#2522 bz#2523
>
>  * ssh-keygen(1): Sanitise escape sequences in key comments sent to
>    printf but preserve valid UTF-8 when the locale supports it;
>    bz#2520
>
>  * ssh(1), sshd(8): Return reason for port forwarding failures where
>    feasible rather than always "administratively prohibited". bz#2674
>
>  * sshd(8): Fix deadlock when AuthorizedKeysCommand or
>    AuthorizedPrincipalsCommand produces a lot of output and a key is
>    matched early. bz#2655
>
>  * Regression tests: several reliability fixes. bz#2654 bz#2658 bz#2659
>
>  * ssh(1): Fix typo in ~C error message for bad port forward
>    cancellation. bz#2672
>
>  * ssh(1): Show a useful error message when included config files
>    can't be opened; bz#2653
>
>  * sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page
>    (previously incorrectly) advertised. bz#2637
>
>  * sshd_config(5): Repair accidentally-deleted mention of %k token
>    in AuthorizedKeysCommand; bz#2656
>
>  * sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM; bzbz#2665
>
>  * ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
>    common 32-bit compatibility library directories.
>
>  * sftp-client(1): fix non-exploitable integer overflow in SSH2_FXP_NAME
>    response handling.
>
> Portability
> -----------
>
>  * sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA
>    crypto coprocessor.
>
>  * sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg
>    inspection.
>
>  * ssh(1): Fix X11 forwarding on OSX where X11 was being started by
>    launchd. bz#2341
>
>  * ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that
>    contain non-printable characters where the codeset in use is ASCII.
>
>  * build: Fix builds that attempt to link a kerberised libldns. bz#2603
>
>  * build: Fix compilation problems caused by unconditionally defining
>    _XOPEN_SOURCE in wide character detection.
>
>  * sshd(8): Fix sandbox violations for clock_gettime VSDO syscall
>    fallback on some Linux/X32 kernels. bz#2142
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux