Re: Call for testing: OpenSSH 9.4

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi Damien,

Build and tests have passed on Fedora Linux 38 and openSUSE Tumbleweed.

Thanks

On 7/31/23 08:12, Damien Miller wrote:
Hi,

OpenSSH 9.4 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.

Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is also available via git using the
instructions at http://www.openssh.com/portable.html#cvs
At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
https://github.com/openssh/openssh-portable

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-unix-dev@xxxxxxxxxxx. Security bugs should be reported
directly to openssh@xxxxxxxxxxx.

Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

Changes since OpenSSH 9.3p2
===========================

This release fixes a number of bugs and adds some small features.

Potentially incompatible changes
--------------------------------

  * This release removes support for older versions of libcrypto.
    OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1.
    Note that these versions are already deprecated by their upstream
    vendors.

  * ssh-agent(1): PKCS#11 modules must now be specified by their full
    paths. Previously dlopen(3) could search for them in system
    library directories.

New features
------------

  * ssh(1): allow forwarding Unix Domain sockets via ssh -W.

  * ssh(1): add support for configuration tags to ssh(1).
    This adds a ssh_config(5) "Tag" directive and corresponding
    "Match tag" predicate that may be used to select blocks of
    configuration similar to the pf.conf(5) keywords of the same
    name.

  * ssh(1): add a "match localnetwork" predicate. This allows matching
    on the addresses of available network interfaces and may be used to
    vary the effective client configuration based on network location.

  * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
    extensions.  This defines wire formats for optional KRL extensions
    and implements parsing of the new submessages. No actual extensions
    are supported at this point.

  * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
    accept two additional %-expansion sequences: %D which expands to
    the routing domain of the connected session and %C which expands
    to the addresses and port numbers for the source and destination
    of the connection.

  * ssh-keygen(1): increase the default work factor (rounds) for the
    bcrypt KDF used to derive symmetric encryption keys for passphrase
    protected key files by 50%.

Bugfixes
--------

  * ssh-agent(1): improve isolation between loaded PKCS#11 modules
    by running seperate ssh-pkcs11-helpers for each loaded provider.

  * ssh(1): make -f (fork after authentication) work correctly with
    multiplexed connections, including ControlPersist. bz3589 bz3589

  * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
    modules being loaded by checking that the requested module
    contains the required symbol before loading it.

  * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
    appears before it in sshd_config. Since OpenSSH 8.7 the
    AuthorizedPrincipalsCommand directive was incorrectly ignored in
    this situation. bz3574

  * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL
    signatures When the KRL format was originally defined, it included
    support for signing of KRL objects. However, the code to sign KRLs
    and verify KRL signatues was never completed in OpenSSH. This
    release removes the partially-implemented code to verify KRLs.
    All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
    KRL files.

  * All: fix a number of memory leaks and unreachable/harmless integer
    overflows.

  * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
    modules; GHPR406

  * sshd(8), ssh(1): better validate CASignatureAlgorithms in
    ssh_config and sshd_config. Previously this directive would accept
    certificate algorithm names, but these were unusable in practice as
    OpenSSH does not support CA chains. bz3577

  * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
    algorithms that are valid for CA signing. Previous behaviour was
    to list all signing algorithms, including certificate algorithms.

  * ssh-keyscan(1): gracefully handle systems where rlimits or the
    maximum number of open files is larger than INT_MAX; bz3581

  * ssh-keygen(1): fix "no comment" not showing on when running
    `ssh-keygen -l` on multiple keys where one has a comment and other
    following keys do not. bz3580

  * scp(1), sftp(1): adjust ftruncate() logic to handle servers that
    reorder requests. Previously, if the server reordered requests then
    the resultant file would be erroneously truncated.

  * ssh(1): don't incorrectly disable hostname canonicalization when
    CanonicalizeHostname=yes and ProxyJump was expicitly set to
    "none". bz3567

  * scp(1): when copying local->remote, check that the source file
    exists before opening an SFTP connection to the server. Based on
    GHPR#370

Portability
-----------

  * All: a number of build fixes for various platforms and
    configuration combinations.

  * sshd(8): provide a replacement for the SELinux matchpathcon()
    function, which is deprecated.

  * All: relax libcrypto version checks for OpenSSL >=3. Beyond
    OpenSSL 3.0, the ABI compatibility guarantees are wider (only
    the library major must match instead of major and minor in
    earlier versions).  bz#3548.

  * Tests: fix build problems for the sk-dummy.so FIDO provider module
    used in some tests.

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux