Contributed by jason on from the cover-my-plaintext dept.
Damien Miller (djm@) just released OpenSSH 5.2! It sounds like this is mainly a bugfix release although it does have some nifty new features such as logging to syslog rather than stderr (useful for daemonized ssh) and dynamic allocation of the remote listening port.
OpenSSH 5.2 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We have also recently completed another Internet SSH usage scan, the results of which may be found at http://www.openssh.com/usage.html Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html The focus of this release has been on bugfixes as the previous openssh-5.1 release introduced many new features and made some invasive changes. Changes since OpenSSH 5.1 ========================= Security: * This release changes the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". * This release also adds countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack. We believe that these attacks are rendered infeasible by these changes. New features: * Added a -y option to ssh(1) to force logging to syslog rather than stderr, which is useful when running daemonised (ssh -f) * The sshd_config(5) ForceCommand directive now accepts commandline arguments for the internal-sftp server. * The ssh(1) ~C escape commandline now support runtime creation of dynamic (-D) port forwards. * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards. (bz#1482) * Support remote port forwarding with a listen port of '0'. This informs the server that it should dynamically allocate a listen port and report it back to the client. (bz#1003) * sshd(8) now supports setting PermitEmptyPasswords and AllowAgentForwarding in Match blocks Bug and documentation fixes * Repair a ssh(1) crash introduced in openssh-5.1 when the client is sent a zero-length banner (bz#1496) * Due to interoperability problems with certain broken SSH implementations, the eow@openssh.com and no-more-sessions@openssh.com protocol extensions are now only sent to peers that identify themselves as OpenSSH. * Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1. * Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1). * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539) * Correct fail-on-error behaviour in sftp(1) batchmode for remote stat operations. (bz#1541) * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave connections. (bz#1543) * Avoid hang in ssh(1) when attempting to connect to a server that has MaxSessions=0 set. * Multiple fixes to sshd(8) configuration test (-T) mode * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418, 1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540 * Many manual page improvements. Checksums: ========== - SHA1 (openssh-5.2.tar.gz) = 260074ed466e95f054ac05a4406f613d08575217 - SHA1 (openssh-5.2p1.tar.gz) = 8273a0237db98179fbdc412207ff8eb14ff3d6de Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
(Comments are closed)
By Mayuresh Kathe (mayuresh) kathe.mayuresh@gmail.com on http://mayuresh.kathe.in/
It's because of neat stuff like this that I stick around with OpenBSD.
Add to that the fact that it hasn't crashed on me in the past 5 years that I've been using it.
My only wish would be to have a replacement for the X Windowing System, its bloated and archaic.
Comments
By Daniel Bolgheroni (187.10.0.216) on
> It's because of neat stuff like this that I stick around with OpenBSD.
> Add to that the fact that it hasn't crashed on me in the past 5 years that I've been using it.
>
> My only wish would be to have a replacement for the X Windowing System, its bloated and archaic.
>
http://www.y-windows.org/about.html
Comments
By Anonymous Coward (204.49.40.232) on
> > It's because of neat stuff like this that I stick around with OpenBSD.
> > Add to that the fact that it hasn't crashed on me in the past 5 years that I've been using it.
> >
> > My only wish would be to have a replacement for the X Windowing System, its bloated and archaic.
> >
>
> http://www.y-windows.org/about.html
With the last news on this project being five years ago, Y Windows will be merely archaic. ;-)
Comments
By Anonymous Coward (128.171.90.200) on
>
> With the last news on this project being five years ago, Y Windows will be merely archaic. ;-)
>
Quite possibly it didn't get much attention and so developer interest waned, but it's GPL'd and so it's possible to resuscitate it, should anyone want to. If the code is clean enough it might inspire a new project.
Comments
By Anonymous Coward (208.124.37.81) on
By Anonymous Coward (4.78.205.35) on
> Quite possibly it didn't get much attention and so developer interest waned, but it's GPL'd and so it's possible to resuscitate it, should anyone want to.
There's the dirty word: "GPL'd". To make it into the base tree, it would need to be completely rewritten to get rid of GPL contamination.
Comments
By Cabal (Cabal) on http://www.romraider.com/
> > Quite possibly it didn't get much attention and so developer interest waned, but it's GPL'd and so it's possible to resuscitate it, should anyone want to.
> There's the dirty word: "GPL'd". To make it into the base tree, it would need to be completely rewritten to get rid of GPL contamination.
>
>
Like GCC?
Comments
By Anonymous Coward (69.50.205.114) on
>
> Like GCC?
Zing!
By Brad (2001:470:b01e:3:216:41ff:fe17:6933) brad at comstyle dot com on
EPIC FAIL. try again.
By Rémy Couture (207.61.255.171) remycouture@gmail.com on
dynamic (-D) port forwards."
awesome