OpenSSH 2.9.9 (fwd)
From: Cy Schubert - ITSD Open Systems Group (Cy.Schubert@uumail.gov.bc.ca)
Date: 09/27/01
- Next message: Cy Schubert - ITSD Open Systems Group: "OpenSSH Security Advisory (adv.option) (fwd)"
- Previous message: Christopher Shumway: "Re: pam sessions?? login modules??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: freebsd-security@freebsd.org Date: Wed, 26 Sep 2001 15:25:09 -0700
A new OpenSSH has been released. I will forward the advisory in a
separate note.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD
Ministry of Management Services
Province of BC
------- Forwarded Message
[headers removed]
Date: Wed, 26 Sep 2001 23:05:19 +0200
From: Markus Friedl <markus@openbsd.org>
To: announce@openbsd.org
Subject: OpenSSH 2.9.9
Message-ID: <20010926230519.A4478@folly>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-announce@openbsd.org
Precedence: bulk
X-Loop: announce@openbsd.org
OpenSSH 2.9.9 has just been uploaded. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH 2.9.9 fixes a weakness in the key file option handling,
including source IP based access control.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.
This release contains many portability bug-fixes (listed in the
ChangeLog) as well as several new features (listed below).
We would like to thank the OpenSSH community for their continued
support and encouragement.
Security Notes:
===============
This release fixes weakness in the source IP based access control
for SSH protocol v2 public key authentication:
Versions of OpenSSH between 2.5 and 2.9.9 are
affected if they use the 'from=' key file option in
combination with both RSA and DSA keys in
~/.ssh/authorized_keys2.
Depending on the order of the user keys in
~/.ssh/authorized_keys2 sshd might fail to apply the
source IP based access control restriction (e.g.
from="10.0.0.1") to the correct key:
If a source IP restricted key (e.g. DSA key) is
immediately followed by a key of a different type
(e.g. RSA key), then key options for the second key
are applied to both keys, which includes 'from='.
This means that users can circumvent the system policy
and login from disallowed source IP addresses.
Important Changes:
==================
OpenSSH 2.9.9 might have upgrade issues introduced by the long time
between releases, which may affect people in unforseen ways:
1) The files
/etc/ssh_known_hosts2
~/.ssh/known_hosts2
~/.ssh/authorized_keys2
are now obsolete, you can use
/etc/ssh_known_hosts
~/.ssh/known_hosts
~/.ssh/authorized_keys
For backward compatibility ~/.ssh/authorized_keys2 is still used for
authentication and hostkeys are still read from the known_hosts2.
However, old files are considered 'readonly'. Future releases are
likely to not read these files.
2) The CheckMail option in sshd_config is deprecated, sshd no longer
checks for new mail.
3) X11 cookies are stored in $HOME
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller and Ben Lindstrom.
------- End of Forwarded Message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Cy Schubert - ITSD Open Systems Group: "OpenSSH Security Advisory (adv.option) (fwd)"
- Previous message: Christopher Shumway: "Re: pam sessions?? login modules??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
