OpenBSD Journal

OpenSSH 5.2 Released

Contributed by jason on from the cover-my-plaintext dept.

Damien Miller (djm@) just released OpenSSH 5.2! It sounds like this is mainly a bugfix release although it does have some nifty new features such as logging to syslog rather than stderr (useful for daemonized ssh) and dynamic allocation of the remote listening port.

OpenSSH 5.2 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We have also recently completed another Internet SSH usage scan, the 
results of which may be found at http://www.openssh.com/usage.html

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html

The focus of this release has been on bugfixes as the previous
openssh-5.1 release introduced many new features and made some
invasive changes.

Changes since OpenSSH 5.1
=========================

Security:

 * This release changes the default cipher order to prefer the AES CTR
   modes and the revised "arcfour256" mode to CBC mode ciphers that are
   susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".

 * This release also adds countermeasures to mitigate CPNI-957037-style
   attacks against the SSH protocol's use of CBC-mode ciphers. Upon
   detection of an invalid packet length or Message Authentication
   Code, ssh/sshd will continue reading up to the maximum supported
   packet length rather than immediately terminating the connection.
   This eliminates most of the known differences in behaviour that
   leaked information about the plaintext of injected data which formed
   the basis of this attack. We believe that these attacks are rendered
   infeasible by these changes.

New features:

 * Added a -y option to ssh(1) to force logging to syslog rather than
   stderr, which is useful when running daemonised (ssh -f)

 * The sshd_config(5) ForceCommand directive now accepts commandline
   arguments for the internal-sftp server.

 * The ssh(1) ~C escape commandline now support runtime creation of
   dynamic (-D) port forwards.

 * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards.
   (bz#1482)

 * Support remote port forwarding with a listen port of '0'. This
   informs the server that it should dynamically allocate a listen
   port and report it back to the client. (bz#1003)

 * sshd(8) now supports setting PermitEmptyPasswords and
   AllowAgentForwarding in Match blocks

Bug and documentation fixes

 * Repair a ssh(1) crash introduced in openssh-5.1 when the client is
   sent a zero-length banner (bz#1496)

 * Due to interoperability problems with certain
   broken SSH implementations, the eow@openssh.com and
   no-more-sessions@openssh.com protocol extensions are now only sent
   to peers that identify themselves as OpenSSH.

 * Make ssh(1) send the correct channel number for
   SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
   avoid triggering 'Non-public channel' error messages on sshd(8) in
   openssh-5.1.

 * Avoid printing 'Non-public channel' warnings in sshd(8), since the
   ssh(1) has sent incorrect channel numbers since ~2004 (this reverts
   a behaviour introduced in openssh-5.1).

 * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)

 * Correct fail-on-error behaviour in sftp(1) batchmode for remote
   stat operations. (bz#1541)

 * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
   connections. (bz#1543)

 * Avoid hang in ssh(1) when attempting to connect to a server that
   has MaxSessions=0 set.

 * Multiple fixes to sshd(8) configuration test (-T) mode

 * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418,
   1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540

 * Many manual page improvements.

Checksums:
==========

 - SHA1 (openssh-5.2.tar.gz) = 260074ed466e95f054ac05a4406f613d08575217
 - SHA1 (openssh-5.2p1.tar.gz) = 8273a0237db98179fbdc412207ff8eb14ff3d6de

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh@openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.

(Comments are closed)


  1. By Mayuresh Kathe (mayuresh) kathe.mayuresh@gmail.com on http://mayuresh.kathe.in/

    This is cool stuff.
    It's because of neat stuff like this that I stick around with OpenBSD.
    Add to that the fact that it hasn't crashed on me in the past 5 years that I've been using it.

    My only wish would be to have a replacement for the X Windowing System, its bloated and archaic.

    1. By Daniel Bolgheroni () on

      > This is cool stuff.
      > It's because of neat stuff like this that I stick around with OpenBSD.
      > Add to that the fact that it hasn't crashed on me in the past 5 years that I've been using it.
      >
      > My only wish would be to have a replacement for the X Windowing System, its bloated and archaic.
      >

      http://www.y-windows.org/about.html

      1. By Anonymous Coward () on

        > > This is cool stuff.
        > > It's because of neat stuff like this that I stick around with OpenBSD.
        > > Add to that the fact that it hasn't crashed on me in the past 5 years that I've been using it.
        > >
        > > My only wish would be to have a replacement for the X Windowing System, its bloated and archaic.
        > >
        >
        > http://www.y-windows.org/about.html

        With the last news on this project being five years ago, Y Windows will be merely archaic. ;-)

        1. By Anonymous Coward () on

          > > http://www.y-windows.org/about.html
          >
          > With the last news on this project being five years ago, Y Windows will be merely archaic. ;-)
          >

          Quite possibly it didn't get much attention and so developer interest waned, but it's GPL'd and so it's possible to resuscitate it, should anyone want to. If the code is clean enough it might inspire a new project.

          1. By Anonymous Coward () on

            Another abandoned project. WHo gives a fuck? and what the hell does it have to do with OpenSSH?

          2. By Anonymous Coward () on

            >
            > Quite possibly it didn't get much attention and so developer interest waned, but it's GPL'd and so it's possible to resuscitate it, should anyone want to.
            There's the dirty word: "GPL'd". To make it into the base tree, it would need to be completely rewritten to get rid of GPL contamination.

            1. By Cabal (Cabal) on http://www.romraider.com/

              > >
              > > Quite possibly it didn't get much attention and so developer interest waned, but it's GPL'd and so it's possible to resuscitate it, should anyone want to.
              > There's the dirty word: "GPL'd". To make it into the base tree, it would need to be completely rewritten to get rid of GPL contamination.
              >
              >

              Like GCC?

              1. By Anonymous Coward () on

                > > There's the dirty word: "GPL'd". To make it into the base tree, it would need to be completely rewritten to get rid of GPL contamination.
                >
                > Like GCC?

                Zing!

              2. By Brad () brad at comstyle dot com on

                > Like GCC?

                EPIC FAIL. try again.

  2. By Rémy Couture () remycouture@gmail.com on

    "* The ssh(1) ~C escape commandline now support runtime creation of
    dynamic (-D) port forwards."

    awesome

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]