Re: Call for testing: OpenSSH 9.4

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Hi Damien,

Builds fine on Cygwin, all tests pass.


On Jul 31 16:12, Damien Miller wrote:
> Hi,
> OpenSSH 9.4 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
> Snapshot releases for portable OpenSSH are available from
> The OpenBSD version is available in CVS HEAD:
> Portable OpenSSH is also available via git using the
> instructions at
> At or via a mirror at Github:
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> $ ./configure && make tests
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev@xxxxxxxxxxx. Security bugs should be reported
> directly to openssh@xxxxxxxxxxx.
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
> Thanks to the many people who contributed to this release.
> Changes since OpenSSH 9.3p2
> ===========================
> This release fixes a number of bugs and adds some small features.
> Potentially incompatible changes
> --------------------------------
>  * This release removes support for older versions of libcrypto.
>    OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1.
>    Note that these versions are already deprecated by their upstream
>    vendors.
>  * ssh-agent(1): PKCS#11 modules must now be specified by their full
>    paths. Previously dlopen(3) could search for them in system
>    library directories.
> New features
> ------------
>  * ssh(1): allow forwarding Unix Domain sockets via ssh -W.
>  * ssh(1): add support for configuration tags to ssh(1).
>    This adds a ssh_config(5) "Tag" directive and corresponding
>    "Match tag" predicate that may be used to select blocks of
>    configuration similar to the pf.conf(5) keywords of the same
>    name.
>  * ssh(1): add a "match localnetwork" predicate. This allows matching
>    on the addresses of available network interfaces and may be used to
>    vary the effective client configuration based on network location.
>  * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
>    extensions.  This defines wire formats for optional KRL extensions
>    and implements parsing of the new submessages. No actual extensions
>    are supported at this point.
>  * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
>    accept two additional %-expansion sequences: %D which expands to
>    the routing domain of the connected session and %C which expands
>    to the addresses and port numbers for the source and destination
>    of the connection.
>  * ssh-keygen(1): increase the default work factor (rounds) for the
>    bcrypt KDF used to derive symmetric encryption keys for passphrase
>    protected key files by 50%.
> Bugfixes
> --------
>  * ssh-agent(1): improve isolation between loaded PKCS#11 modules
>    by running seperate ssh-pkcs11-helpers for each loaded provider.
>  * ssh(1): make -f (fork after authentication) work correctly with
>    multiplexed connections, including ControlPersist. bz3589 bz3589
>  * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
>    modules being loaded by checking that the requested module
>    contains the required symbol before loading it.
>  * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
>    appears before it in sshd_config. Since OpenSSH 8.7 the
>    AuthorizedPrincipalsCommand directive was incorrectly ignored in
>    this situation. bz3574
>  * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL
>    signatures When the KRL format was originally defined, it included
>    support for signing of KRL objects. However, the code to sign KRLs
>    and verify KRL signatues was never completed in OpenSSH. This
>    release removes the partially-implemented code to verify KRLs.
>    All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
>    KRL files.
>  * All: fix a number of memory leaks and unreachable/harmless integer
>    overflows.
>  * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
>    modules; GHPR406
>  * sshd(8), ssh(1): better validate CASignatureAlgorithms in
>    ssh_config and sshd_config. Previously this directive would accept
>    certificate algorithm names, but these were unusable in practice as
>    OpenSSH does not support CA chains. bz3577
>  * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
>    algorithms that are valid for CA signing. Previous behaviour was
>    to list all signing algorithms, including certificate algorithms.
>  * ssh-keyscan(1): gracefully handle systems where rlimits or the
>    maximum number of open files is larger than INT_MAX; bz3581
>  * ssh-keygen(1): fix "no comment" not showing on when running
>    `ssh-keygen -l` on multiple keys where one has a comment and other
>    following keys do not. bz3580
>  * scp(1), sftp(1): adjust ftruncate() logic to handle servers that
>    reorder requests. Previously, if the server reordered requests then
>    the resultant file would be erroneously truncated.
>  * ssh(1): don't incorrectly disable hostname canonicalization when
>    CanonicalizeHostname=yes and ProxyJump was expicitly set to
>    "none". bz3567
>  * scp(1): when copying local->remote, check that the source file
>    exists before opening an SFTP connection to the server. Based on
>    GHPR#370
> Portability
> -----------
>  * All: a number of build fixes for various platforms and
>    configuration combinations.
>  * sshd(8): provide a replacement for the SELinux matchpathcon()
>    function, which is deprecated.
>  * All: relax libcrypto version checks for OpenSSL >=3. Beyond
>    OpenSSL 3.0, the ABI compatibility guarantees are wider (only
>    the library major must match instead of major and minor in
>    earlier versions).  bz#3548.
>  * Tests: fix build problems for the FIDO provider module
>    used in some tests.
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx

openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux