Subject: OpenSSH 3.1 released
Date: Thu, 7 Mar 2002 12:55:57 +0100
From: Markus Friedl
To: openssh-unix-announce@mindrot.org,
openssh-unix-dev@mindrot.org
CC: lwn@lwn.net, announce@openbsd.org,
misc@openbsd.org, dengue@deadly.org,
news@linuxsecurity.com,
secureshell@securityfocus.com
OpenSSH 3.1 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.
We would like to thank the OpenSSH community for their continued
support and encouragement.
Important Changes:
==================
- /etc/ssh/ now default directory for keys and configuration files
- ssh-keygen no longer defaults to a specific key type (rsa1);
use ssh-keygen -t {rsa,dsa,rsa1}
- sshd x11 forwarding listens on localhost by default;
see sshd X11UseLocalhost option to revert to prior behaviour
if your older X11 clients do not function with this configuration
Other Changes:
==============
- ssh ~& escape char functions now for both protocol versions
- sshd ReverseMappingCheck option changed to VerifyReverseMapping
to clarify its function; ReverseMappingCheck can still be used
- public key fingerprint is now logged with LogLevel=VERBOSE
- reason logged for disallowed logins (e.g., no shell, etc.)
- more robust error handling for x11 forwarding
- improved packet/window size handling in ssh2
- use of regex(3) has been removed
- fix SIGCHLD races in sshd (seen on Solaris)
- sshd -o option added
- sftp -B -R -P options added
- ssh-add now adds all 3 default keys
- ssh-keyscan bug fixes
- ssh-askpass for hostkey dialog
- fix fd leak in sshd on SIGHUP
- TCP_NODELAY set on X11 and TCP forwarding endpoints
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller and Ben Lindstrom.
(Comments are closed)
Comments
By
Anonymous Coward ()
on
anyone cares to explain what these
off-by-one
errors are about?
(
i'm not a native english speaker nor a coder
)
Comments
By
Masa ()
on
For a non-programmer:
It means that the program has allocated an array with n elements and it tries to reach information beyond the array (ie. n+1:th element).
For example:
there is a list of numbers: [10, 25, 42].
The array contains three elements. Elements are indexed by 0, 1 and 2 (so the first element having valua 10 is pointed with indexd 0, the second with index 1 and so on). The program however tries to reach elements by using indexes 1, 2 and 3. The third index is pointing beyond the list (because with zero-based indexing, the index 3 would point to the fourth element and the fourth element is non-existent and would cause a melfunction in the program).
So that is off-by-one.
Comments
By
Anonymous Coward ()
on
but how do you exploit that to leverage additional priviliges?
Comments
By
Anonymous Coward ()
on
buffer overflows basically allow an attacker to modify parts of a program's memory contents with whatever data the attacker chooses. the actual data that is written will depend upon the layout of the memory in question and what the attacker is trying to accomplish. please remember, also, that just because a program has a buffer overflow, it may not be exploitable.
a typical scenario is that return address of a calling routine (which is stored on the program
's memory stack) is overwritten with the address of the attacker's choosing. when the current sub-routine exits, it will jump back to whatever memory location the attacker chose instead of the actual location of the routine that called it. it may even be possible for the attacker to upload their own machine instructions (i.e. shellcode) and have the program execute those.
the result of this is some form of access to the system (e.g. a shell) with the same privileges as whatever program was exploited. this, of course, is not a good thing and is why it has been said time and again that daemons that run unprotected should drop their root privileges as soon as possible to minimize what an attacker could do on a system, should he gain access through a bug in the daemon.
By
Anonymous Coward ()
on
With 3.1 I can no longer su or su - to root and run X11-forwarded applications? Is there any way to do this securely now? I'm not going to allow remote root logins via SSH as I like having the extra level of security by requiring an existing non-root account. This used to work perfectly before.
By Anonymous Coward () on
( i'm not a native english speaker nor a coder )
Comments
By Masa () on
It means that the program has allocated an array with n elements and it tries to reach information beyond the array (ie. n+1:th element).
For example:
there is a list of numbers: [10, 25, 42].
The array contains three elements. Elements are indexed by 0, 1 and 2 (so the first element having valua 10 is pointed with indexd 0, the second with index 1 and so on). The program however tries to reach elements by using indexes 1, 2 and 3. The third index is pointing beyond the list (because with zero-based indexing, the index 3 would point to the fourth element and the fourth element is non-existent and would cause a melfunction in the program).
So that is off-by-one.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
a typical scenario is that return address of a calling routine (which is stored on the program
's memory stack) is overwritten with the address of the attacker's choosing. when the current sub-routine exits, it will jump back to whatever memory location the attacker chose instead of the actual location of the routine that called it. it may even be possible for the attacker to upload their own machine instructions (i.e. shellcode) and have the program execute those.
the result of this is some form of access to the system (e.g. a shell) with the same privileges as whatever program was exploited. this, of course, is not a good thing and is why it has been said time and again that daemons that run unprotected should drop their root privileges as soon as possible to minimize what an attacker could do on a system, should he gain access through a bug in the daemon.
By Anonymous Coward () on
Comments
By Anonymous Coward () on