Announce: OpenSSH 4.2 released

From: Damien Miller (djm_at_cvs.openbsd.org)
Date: 09/01/05

  • Next message: Jeremy Eder: "Multiple authorized_keys2 files or how to achieve same effect."
    Date: Thu, 1 Sep 2005 07:21:05 -0600 (MDT)
    To: secureshell@securityfocus.com
    
    

    OpenSSH 4.2 has just been released. It will be available from the
    mirrors listed at http://www.openssh.com/ shortly.

    OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
    implementation and includes sftp client and server support.

    We would like to thank the OpenSSH community for their continued
    support of the project, especially those who contributed source,
    reported bugs, tested snapshots and purchased T-shirts or posters.

    T-shirt, poster and CD sales directly support the project. Pictures
    and more information can be found at:
            http://www.openbsd.org/tshirts.html and
            http://www.openbsd.org/orders.html

    For international orders use http://https.openbsd.org/cgi-bin/order
    and for European orders, use http://https.openbsd.org/cgi-bin/order.eu

    Changes since OpenSSH 4.1:
    ============================

      - SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused
        GatewayPorts to be incorrectly activated for dynamic ("-D") port
        forwardings when no listen address was explicitly specified.

      - SECURITY: sshd in OpenSSH versions prior to 4.2 allow GSSAPI
        credentials to be delegated to users who log in with methods
        other than GSSAPI authentication (e.g. public key) when the
        client requests it. This behaviour has been changed in OpenSSH
        4.2 to only delegate credentials to users who authenticate
        using the GSSAPI method. This eliminates the risk of credentials
        being inadvertently exposed to an untrusted user/host (though
        users should not activate GSSAPIDelegateCredentials to begin
        with when the remote user or host is untrusted)

      - Added a new compression method that delays the start of zlib
        compression until the user has been authenticated successfully.
        The new method ("Compression delayed") is on by default in the
        server. This eliminates the risk of any zlib vulnerability
        leading to a compromise of the server from unauthenticated users.

        NB. Older OpenSSH (<3.5) versions have a bug that will cause them
        to refuse to connect to any server that does not offer compression
        when the client has compression requested. Since the new "delayed"
        server mode isn't supported by these older clients, they will
        refuse to connect to a new server unless compression is disabled
        (on the client end) or the original compression method is enabled
        on the server ("Compression yes" in sshd_config)

      - Another round of proactive changes for signed vs unsigned integer
        bugs has been completed, including changing the atomicio() API to
        encourage safer programming. This work is ongoing.

      - Added support for the improved arcfour cipher modes from
        draft-harris-ssh-arcfour-fixes-02. The improves the cipher's
        resistance to a number of attacks by discarding early keystream
        output.

      - Increase the default size of new RSA/DSA keys generated by
        ssh-keygen from 1024 to 2048 bits.

      - Many bugfixes and improvements to connection multiplexing,
        including:

        - Added ControlMaster=auto/autoask options to support opportunistic
          multiplexing (see the ssh_config(5) manpage for details).

        - The client will now gracefully fallback to starting a new TCP
          connection if it cannot connect to a specified multiplexing
          control socket

        - Added %h (target hostname), %p (target port) and %r (remote
          username) expansion sequences to ControlPath. Also allow
          ControlPath=none to disable connection multiplexing.

        - Implemented support for X11 and agent forwarding over multiplexed
          connections. Because of protocol limitations, the slave
          connections inherit the master's DISPLAY and SSH_AUTH_SOCK rather
          than distinctly forwarding their own.

      - Portable OpenSSH: Added support for long passwords (> 8-char) on
        UnixWare 7.

      - The following bugs from http://bugzilla.mindrot.org/ were closed:

         #471 - Misleading error message if /dev/tty perms wrong
         #623 - Don't use $HOME in manpages
         #829 - Don't allocate a tty if -n option is set
         #1025 - Correctly handle disabled special character in ttymodes
         #1033 - Fix compile-time warnings
         #1046 - AIX 5.3 Garbage on Login
         #1054 - Don't terminate connection on getpeername() failure
         #1076 - GSSAPIDelegateCredentials issue mentioned above

      - Lots of other improvements and fixes. Please refer to the ChangeLog
        for details

    Thanks to everyone who has contributed patches, problem or test reports.

    Checksums:
    ==========

    - SHA1 (openssh-4.2.tar.gz) = d2bd777986a30e446268ceeb24cddbf2edf51b21
    - SHA1 (openssh-4.2p1.tar.gz) = 5e7231cfa8ec673ea856ce291b78fac8b380eb78

    Reporting Bugs:
    ===============

    - please read http://www.openssh.com/report.html
      and http://bugzilla.mindrot.org/

    OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
    Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.


  • Next message: Jeremy Eder: "Multiple authorized_keys2 files or how to achieve same effect."

    Relevant Pages

    • NFS problems with through 2.5.x to 2.6.0-test9
      ... When the server is running the ... kernel, as a client the 2.6 series seem to work perfectly, excluding ... Interesting problem arose when I attempted switch the server's kernel to ... with and without nfsv4 support compiled in (was considering testing it at ...
      (Linux-Kernel)
    • Re: FileCopy vs. Read & Write or CopyFile API
      ... client is copying the file in 5 or 10 seconds is to big. ... Dim errNum as Integer ... synchronize a document in server to its client with VB FileCopy function. ... Microsoft Online Community Support ...
      (microsoft.public.vb.general.discussion)
    • Re: FileCopy vs. Read & Write or CopyFile API
      ... client is copying the file in 5 or 10 seconds is to big. ... Dim errNum as Integer ... synchronize a document in server to its client with VB FileCopy function. ... Microsoft Online Community Support ...
      (microsoft.public.vb.general.discussion)
    • RE: HP officejet 5610
      ... As far as I know none support ... Microsoft MVP - Terminal Server ... Virtual Client Solutions ... printers, assuming the client is Vista SP1 or XP SP3 with RDP Client 6.1. ...
      (microsoft.public.windows.terminal_services)
    • Re: Have you had good results with Trend Micro support?
      ... I spoke with a supervisor for tech support on Thursday regarding this issue. ... Trend Micro Client Server Messaging Security from version 2.0 to 3.6 on ... One of the clients also has a Server 2003 file server and the pattern ... I tried uninstalling the TM Client, ...
      (microsoft.public.windows.server.sbs)