Contributed by jose on from the fixing-bugs dept.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.
We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters.
We have a new design of T-shirt available, more info on http://www.openbsd.org/tshirts.html#18
For international orders use https://https.openbsd.org/cgi-bin/order and for European orders, use https://https.openbsd.org/cgi-bin/order.eu
Security Changes:
All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively.
OpenSSH 3.7 fixes this bug.
Additional changes below.
Changes since OpenSSH 3.6.1:
- The entire OpenSSH code-base has undergone a license review. As a result, all non-ssh1.x code is under a BSD-style license with no advertising requirement. Please refer to README in the source distribution for the exact license terms.
- Rhosts authentication has been removed in ssh(1) and sshd(8).
-
Changes in Kerberos support:
- KerberosV password support now uses a file cache instead of a memory cache.
- KerberosIV and AFS support has been removed.
- KerberosV support has been removed from SSH protocol 1.
- KerberosV password authentication support remains for SSH protocols 1 and 2.
- This release contains some GSSAPI user authentication support to replace legacy KerberosV authentication support. At present this code is still considered experimental and SHOULD NOT BE USED.
1. ssh-agent(1) keys that are found in the ssh_config(5) file
2. remaining ssh-agent(1) keys
3. keys that are only listed in the ssh_config(5) file
This helps when an ssh-agent(1) has many keys, where the sshd(8) server might close the connection before the correct key is tried.
- Replace PAM password authentication kludge with a more correct PAM challenge-response module from FreeBSD.
- PAM support may now be enabled/disabled at runtime using the UsePAM directive.
- Many improvements to the OpenSC smartcard support.
- Regression tests now work with portable OpenSSH. Please refer to regress/README.regress in the source distribution.
- On platforms that support it, portable OpenSSH now honors the UMASK, PATH and SUPATH attributes set in /etc/default/login.
- Deny access to locked accounts, regardless of authentication method in use.
Checksums:
- MD5 (openssh-3.7.tgz) = 86864ecc276c5f75b06d4872a553fa70
- MD5 (openssh-3.7p1.tar.gz) = 77662801ba2a9cadc0ac10054bc6cb37
Reporting Bugs:
- please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/
(Comments are closed)
By Anonymous Coward () on
You keep using that word. I do not think it means what you think it means. I'm not sure why they've bothered making that comment, anyway, Gobbles will have proof-of-concept code available within a week.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By nbfghfh () on
Ist ja auch positiv zu sehen...
Comments
By Anonymous Coward () on
Comments
By Steve S. () on
Trusty Babelfish
Comments
By Anonymous Coward () on
By rete () on
Comments
By Anonymous Coward () on
Comments
By X () on
or a tcpdump data
By sanda () on
shit happends...
BTW.. are you really sure about that fucking fact?
By Justin () on
By Anonymous Coward () on
I've seen no evidence that it is exploitable on OpenBSD, I've seen no evidence that there's an exploit available or seen no one that's willing to post any code substantiating it, how about we all just go one and be good little sys admins and patch our systems, against a *POTENTIAL* vulnerability. As all postings I've seen place heavy emphasis on the word *POTENTIAL*.
I'm sure someone will write an 'sploit of it and yes it may in fact affect OpenBSD, but as of yet, no one's provided any proof what so ever that it is exploitable on OpenBSD, merely that a buffer overflow exists which could *POTENTIALLY* lead to an exploit.
In other words, shut up or put up!
By djm () on
Don't have one? Stop talking like you do.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
In other words: it is impossible to exploit this to gain remote root access.
Now, would someone who has actually seen this magical "exploit" describe what method it uses? I'm pretty sure if such an exploit does exist, then it uses another vulnerability, not this one, to break in.
Now, show us the exploit.
Comments
By rankor_indeustries () on
By Anonymous Coward () on
Comments
By Nate () on
I shouldn't feed you like this, but who can resist?
By person with some news () on ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-