OpenBSD Journal

OpenSSH 4.5 Released.

Contributed by sean on from the arrrrrr-it-be-to-patch-matey dept.

It isn't a big one, but a release none the less. Directly from the release notes:

OpenSSH 4.5 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots and purchased
T-shirts or posters.
T-shirt, poster and CD sales directly support the project. Pictures
and more information can be found at:
http://www.openbsd.org/tshirts.html and
http://www.openbsd.org/orders.html

For international orders use http://https.openbsd.org/cgi-bin/order
and for European orders, use http://https.openbsd.org/cgi-bin/order.eu

Changes since OpenSSH 4.4:
============================

This is a bugfix only release. No new features have been added.

Security bugs resolved in this release:

* Fix a bug in the sshd privilege separation monitor that weakened its
verification of successful authentication. This bug is not known to
be exploitable in the absence of additional vulnerabilities.

This release includes the following non-security fixes:

* Several compilation fixes for portable OpenSSH

* Fixes to Solaris SMF/process contract support (bugzilla #1255)

Thanks to everyone who has contributed patches, reported bugs and
tested releases.

Checksums:
==========

- SHA1 (openssh-4.5.tar.gz) = def3de1557181062d788695b9371d02635af39fb
- SHA1 (openssh-4.5p1.tar.gz) = 2eefcbbeb9e4fa16fa4500dec107d1a09d3d02d7

Reporting Bugs:
===============

- please read http://www.openssh.com/report.html
and http://bugzilla.mindrot.org/

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.

(Comments are closed)


Comments
  1. By Jared (72.129.181.245) dev@null.org on

    Thanks, folks. You do great work.

    Comments
    1. By Anonymous Coward (64.62.190.126) on

      > Thanks, folks. You do great work.

      Well.. thanks too

      But I noticed a dramaticly reduced release-circle in SSH....
      4.4 isn`t that old! And now we`ve 4.5....

      So developers:
      Do hurry less and take ya time... :)

  2. By Anonymous Coward (195.29.148.251) on

    Will ever be considered implementing UDP VPN tunneling in OpenSSH ? This way OpenSSH would replace OpenVPN in many situations.

    Comments
    1. By Anonymous Coward (217.205.77.85) on

      > Will ever be considered implementing UDP VPN tunneling in OpenSSH ? This way OpenSSH would replace OpenVPN in many situations.

      I would say probably not as there would be quite a lot of goo to make UDP reliable.... would be a nice option though ;)

      Comments
      1. By sean (24.79.89.96) on

        > > Will ever be considered implementing UDP VPN tunneling in OpenSSH ? This way OpenSSH would replace OpenVPN in many situations.
        >
        > I would say probably not as there would be quite a lot of goo to make UDP reliable.... would be a nice option though ;)
        >

        Maybe not specifically but you can already do similar with '-w' and a recent version of OpenSSH on both ends. It is not 'recommended' but long term hauls but I have a few uses for this for when I don't want to bother with ipsec but don't want to give up encryption.

        Comments
        1. By Anonymous Coward (195.29.157.74) on

          > Maybe not specifically but you can already do similar with '-w' and a recent version of OpenSSH on both ends. It is not 'recommended' but long term hauls but I have a few uses for this for when I don't want to bother with ipsec but don't want to give up encryption.


          the point is: transport traffic is still TCP, and tunneling TCP over TCP is a bad idea (see http://sites.inka.de/sites/bigred/devel/tcp-tcp.html).

      2. By Anonymous Coward (128.171.90.200) on

        UDP isn't reliable

        Comments
        1. By Anonymous Coward (195.29.157.74) on

          > UDP isn't reliable

          yes, but TCP over UDP *is* reliable. in that case UDP is just an "extended" IP, and transported TCP gives you a reliability.

  3. By Anonymous Coward (66.219.198.22) on

    Well can somebody explain me why OpenSSH gets released even it does not fix ANY critical Bug nor provides new features?

    I mean....

    OpenBSD/Ports -> Even there Bugs offen you wont get an Update for STABLE
    OpenBSD/Stable -> Just SECURITY related Patches get Backported from
    Current (see pgt-Driver wich can crash the whole OS
    a fix for this is in current but not in STABLE)

    So why gets OpenSSH an update? I mean OpenSSH is a core application of OpenBSD so it`s realy annoying why they make an exception for SSH only but not even for Drivers wich do crash the whole OS if you remove a cardbus card....?

    It just looks annoying...

    Anyway: Thanks for another oSSH Release

    Comments
    1. By Anonymous Coward (87.194.34.157) on

      > So why gets OpenSSH an update? I mean OpenSSH is a core application of OpenBSD so it`s realy annoying why they make an exception for SSH only but not even for Drivers wich do crash the whole OS if you remove a cardbus

      Maybe because they care more about programs that can lead to your machine being comprised than about a random bug to a local user?



      Comments
      1. By Anonymous Coward (204.13.236.244) on

        > > So why gets OpenSSH an update? I mean OpenSSH is a core application of OpenBSD so it`s realy annoying why they make an exception for SSH only but not even for Drivers wich do crash the whole OS if you remove a cardbus
        >
        > Maybe because they care more about programs that can lead to your machine being comprised than about a random bug to a local user?

        It`s easier for a local "user" to remove a Cardbus Card then for a remote attacker to make an exploit wich walks arround all the sec. OpenBSD provides, or?

        A total crash can lead to data loss.
        Compared to the security OpenBSD provides the pgt-Driver is the bigger risk at all. And pgt is just one example...
        We also could talk about the wi-based USB-Sticks in Monitor mode...

        Well... why should somebody care about such a "Bug" in SSH (wich is not exploitable and even it would be exploitable it wouldn`t affect oBSD imho...) if any local user can, even by accident, crash oBSD Boxes and destroy data.

        Btw: The Driver for ARC was updated.... the driver for pgt wasn`t
        I personaly would bet there more users with a pgt-Device then with a arc-Device out there....

    2. By djm@ (65.57.245.11) on

      > Well can somebody explain me why OpenSSH gets released even
      > it does not fix ANY critical Bug nor provides new features?

      Did you miss the part about the security bug it fixes? Would you prefer we leave it there for another four months while we "add features"?

      -d

      Comments
      1. By Anonymous Coward (83.216.204.134) on

        > > Well can somebody explain me why OpenSSH gets released even
        > > it does not fix ANY critical Bug nor provides new features?
        >
        > Did you miss the part about the security bug it fixes? Would you prefer we leave it there for another four months while we "add features"?
        >
        > -d

        And a crashing OS because a removed cardbus card from the laptop is absolutly NO RISK for you data, right?

        No I wont that you do ADD features!
        But I wanna get FIXES for ALL known problems wich could damage data or crash the Kernel. And I wont use "current" just because of the Fact that somebody could walk arround and unplug my Cardbus card....

        Just because ARC is used in bigger mashines it`s just a >REALIABILITY< Fix. Other stuff does not get fixed. As Ive said: pgt-Driver is just one example for another pot. "realiability" Fix.

        Comments
        1. By Anonymous Coward (66.39.191.242) on

          >
          > And a crashing OS because a removed cardbus card from the laptop is absolutly NO RISK for you data, right?
          >

          So the driver for whatever card you like to eject doesn't handle ejection properly? Maybe don't do it, then?

          > But I wanna get FIXES for ALL known problems wich could damage data or crash the Kernel. And I wont use "current" just because of the Fact that somebody could walk arround and unplug my Cardbus card....
          >

          Provide a patch for stable? Or if the problem isn't fixed in current,
          provide a patch, period? Or just sit around and whine about it like
          a little fucking girl. Don't provide any diagnostics information to anyone who might be able to help, just bitch and moan. Blah, blah, blah.

          > Just because ARC is used in bigger mashines it`s just a >REALIABILITY< Fix. Other stuff does not get fixed. As Ive said: pgt-Driver is just one example for another pot. "realiability" Fix.
          >

          Oh, I see, you have all the documentation for the Intersil Prism GT and
          you wrote the soft-mac code to complete support for all cards, right? NO??? Oh, and instead of trying to do any debugging, you just sit around and whine like a little bitch?

          I have a little bit of advice for you and anyone else who might agree with you. Shut the fuck up. Open your fucking eyes and try to figure out how you can help to solve the problem yourself or help someone else solve the problem. If you can't do this, then you can't do anything constuctive to solve the problem, so once again, SHUT THE FUCK UP.

          Comments
          1. By Anonymous Coward (82.165.180.112) on

            Listen carefully bitching troll:

            The patch does exists, it is in current.. YOU just have to "backport" it to stable.


            And now get a life.

          2. By Mr. Spock (217.10.142.170) electrodynamics | at | web | dot | de on

            What a load of an unfactual, unobjective, unfriendly, and offending posting. Full of bad words from the street. This is the way we should discuss always here with one another. The arguments of the OP are absolutely rational, there's no reason to attack him. Absolutely embarassing and a shame for this side is the attack.

            Comments
            1. By Brad (216.138.195.228) brad at comstyle dot com on

              > What a load of an unfactual, unobjective, unfriendly, and offending posting. Full of bad words from the street. This is the way we should discuss always here with one another. The arguments of the OP are absolutely rational, there's no reason to attack him. Absolutely embarassing and a shame for this side is the attack.

              The arguments of the OP are NOT rational at all. The issue does not affect the release. You are just embarrassing yourself for backing him up without doing any research first.

              Look at this cvsweb URL... http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/cardbus/if_pgt_cardbus.c

              You will see that the pgt(4) CardBus front end was NOT tagged for the 4.0 release, but was instead added after the tree was tagged. There is no way he could be running a proper 4.0 kernel. So, he is either using a custom unsupported 4.0 kernel or a -current snapshot. If he's using a custom unsupported 4.0 kernel then it is up to him to deal with the issue. If he's using a -current snap then he could easily upgrade to a newer snap to resolve the issue. Either way it is up to him to resolve his own issue.

        2. By Brad (216.138.195.228) brad at comstyle dot com on

          > > > Well can somebody explain me why OpenSSH gets released even
          > > > it does not fix ANY critical Bug nor provides new features?
          > >
          > > Did you miss the part about the security bug it fixes? Would you prefer we leave it there for another four months while we "add features"?
          > >
          > > -d
          >
          > And a crashing OS because a removed cardbus card from the laptop is absolutly NO RISK for you data, right?

          The pgt(4) driver did NOT support CardBus versions of this adapter with the 4.0 release, meaning that you are running a -current snapshot. Update to a newer snapshot where the issue has been fixed!

          > No I wont that you do ADD features!
          > But I wanna get FIXES for ALL known problems wich could damage data or crash the Kernel. And I wont use "current" just because of the Fact that somebody could walk arround and unplug my Cardbus card....

          You are already running -current if you're using a CardBus pgt(4) adapter.

        3. By Anonymous Coward (65.57.245.11) on

          > No I wont that you do ADD features!
          > But I wanna get FIXES for ALL known problems wich could damage
          > data or crash the Kernel. And I wont use "current" just because
          > of the Fact that somebody could walk arround and unplug my Cardbus
          > card....

          oh, you are one of those non-developers who believes that development effort is entirely fungible. Well, you are wrong.

          You are also out of line.

  4. By Alex Kraskramp (80.242.226.6) on http://www.purebsd.com

    For f*ck sake plus another hundred curses!

    Users of OpenBSD *do* have the right to expres their wishes, but hey, keep it cool! Work on OpenBSD is done on a voluntairy basis! Noone is getting paid to fix driver X, program Y or kernel feature Z. Please, remember that.

    I, for instance, would like to see an OpenBSD SMTP server, DNS server and HTTP server developed as good (or better) as respectively Qmail, DJBDNS and Apache. We have OpenBSD, OpenSSH, OpenRCS et cetera. No OpenSMTP or OpenWWW. And what do I do? Nothing. I'm just a stupid user, who is BLOODY happy with the work OpenBSD guys are doing since OpenBSD 2.7.

    So all you f*ckups should donate money once in a while, like I do, to the OpenBSD project (if you can afford it). THEY NEED IT. You KNOW they NEED it.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]