OpenSSH 3.7.1 released

From: Markus Friedl (markus_at_openbsd.org)
Date: 09/17/03

  • Next message: Darryl Baker: "OpenSSH 3.7 client truncates banner"
    Date: Wed, 17 Sep 2003 01:13:14 +0200
    To: secureshell@securityfocus.com
    
    

    OpenSSH 3.7.1 has just been released. It will be available from the
    mirrors listed at http://www.openssh.com/ shortly.

    OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
    implementation and includes sftp client and server support.

    We would like to thank the OpenSSH community for their continued
    support to the project, especially those who contributed source and
    bought T-shirts or posters.

    We have a new design of T-shirt available, more info on
            http://www.openbsd.org/tshirts.html#18

    For international orders use https://https.openbsd.org/cgi-bin/order
    and for European orders, use https://https.openbsd.org/cgi-bin/order.eu

    Security Changes:
    =================

      All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
      management errors. It is uncertain whether these errors are
      potentially exploitable, however, we prefer to see bugs
      fixed proactively.

      OpenSSH 3.7 fixed one of these bugs.

      OpenSSH 3.7.1 fixes more similar bugs.

    Changes since OpenSSH 3.6.1:
    ============================

    * The entire OpenSSH code-base has undergone a license review. As
      a result, all non-ssh1.x code is under a BSD-style license with no
      advertising requirement. Please refer to README in the source
      distribution for the exact license terms.

    * Rhosts authentication has been removed in ssh(1) and sshd(8).

    * Changes in Kerberos support:

        - KerberosV password support now uses a file cache instead of
          a memory cache.

        - KerberosIV and AFS support has been removed.

        - KerberosV support has been removed from SSH protocol 1.

        - KerberosV password authentication support remains for SSH
          protocols 1 and 2.

        - This release contains some GSSAPI user authentication support
          to replace legacy KerberosV authentication support. At present
          this code is still considered experimental and SHOULD NOT BE
          USED.
      
    * Changed order that keys are tried in public key authentication.
      The ssh(1) client tries the keys in the following order:

         1. ssh-agent(1) keys that are found in the ssh_config(5) file
         2. remaining ssh-agent(1) keys
         3. keys that are only listed in the ssh_config(5) file

      This helps when an ssh-agent(1) has many keys, where the sshd(8)
      server might close the connection before the correct key is tried.

    * SOCKS5 support has been added to the dynamic forwarding mode
      in ssh(1).

    * Removed implementation barriers to operation of SSH over SCTP.

    * sftp(1) client can now transfer files with quote characters in
      their filenames.

    * Replaced sshd(8)'s VerifyReverseMapping with UseDNS option.
      When UseDNS option is on, reverse hostname lookups are always
      performed.

    * Fix a number of memory leaks.

    * Support for sending tty BREAK over SSH protocol 2.

    * Workaround for other vendor bugs in KEX guess handling.

    * Support for generating KEX-GEX groups (/etc/moduli) in ssh-keygen(1).

    * Automatic re-keying based on amount of data sent over connection.

    * New AddressFamily option on client to select protocol to use (IPv4
      or IPv6).

    * Experimental support for the "aes128-ctr", "aes192-ctr", and
      "aes256-ctr" ciphers for SSH protocol 2.

    * Experimental support for host keys in DNS (draft-ietf-secsh-dns-xx.txt).
      Please see README.dns in the source distribution for details.

    * Portable OpenSSH:

        - Replace PAM password authentication kludge with a more correct
          PAM challenge-response module from FreeBSD.

        - PAM support may now be enabled/disabled at runtime using the
          UsePAM directive.

        - Many improvements to the OpenSC smartcard support.

        - Regression tests now work with portable OpenSSH.
          Please refer to regress/README.regress in the source distribution.

        - On platforms that support it, portable OpenSSH now honors the
          UMASK, PATH and SUPATH attributes set in /etc/default/login.

        - Deny access to locked accounts, regardless of authentication
          method in use.

    Checksums:
    ==========

    - MD5 (openssh-3.7.1.tgz) = 3d2f1644d6a3d3267e5e2421f1385129
    - MD5 (openssh-3.7.1p1.tar.gz) = f54e574e606c08ef63ebb1ab2f7689dc

    Reporting Bugs:
    ===============

    - please read http://www.openssh.com/report.html
      and http://bugzilla.mindrot.org/

    OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
    Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.


  • Next message: Darryl Baker: "OpenSSH 3.7 client truncates banner"

    Relevant Pages

    • Announce: OpenSSH 4.3 released
      ... OpenSSH 4.3 has just been released. ... implementation and includes sftp client and server support. ...
      (SSH)
    • [djm@cvs.openbsd.org: OpenSSH 4.0 released]
      ... OpenSSH 4.0 has just been released. ... implementation and includes sftp client and server support. ... AllowGroups and DenyGroups (Bugzilla #909) ...
      (FreeBSD-Security)
    • Re: Client connect without host service running?
      ... Incoming clients cannot connect via ssh unless openssh is running. ... openssh caches the keys in memory... ... I went to the ssh client and compared the host ...
      (comp.security.ssh)
    • Announce: OpenSSH 4.2 released
      ... OpenSSH 4.2 has just been released. ... implementation and includes sftp client and server support. ...
      (SSH)
    • Announce: OpenSSH 4.4 released
      ... OpenSSH 4.4 has just been released. ... implementation and includes sftp client and server support. ... code or patches, reported bugs, tested snapshots and purchased ... #1173 - scp reports lost connection for very large files. ...
      (SSH)