OpenBSD Journal

OpenSSH 9.8 released

Contributed by Peter N. M. Hansteen on from the SSH! listen to the sound of bugs fixed dept.

In a fediverse post, Damien Miller (djm@) announced the availability of the new OpenSSH version 9.8:
OpenSSH 9.8 has just been released. This release includes a fix for a critical race condition in sshd that could be exploited for remote code execution so you should definitely patch or upgrade. It also contains a fix for a minor issue in ssh that saw the recently-added ObscureKeystrokeTiming feature work the opposite way as intended.

There are some new features too. Please see the release notes at https://openssh.com/releasenotes.html for more details

(Comments are closed)


Comments
  1. Comments
    1. By grey (grey) on http://www.artkiver.com

      Thanks so much for this!

      I appreciate Qualys' in depth bug explorations and plain text formatting.

      In downstreaming news, hopefully this PR for MacPorts (https://github.com/macports/macports-ports/pull/24754) will get merged soon, though I'll be the first to admit I don't think I have ever properly wrapped my head around GitHub's browser based code review tools.

      At least the proof of concept was for Linux and OpenBSD doesn't appear to be vulnerable!

      Hopefully macOS and other OSes may also be immune? Though it's my general observation that when an exploit is found, others may refactor it. The tidbit in Qualys' write up about this being related to something Mark Dowd had reported back in 2006 was fascinating contextually in such regards.

      Testing locally at least, 9.8p1 is working great!
      % ssh -V
      OpenSSH_9.8p1, LibreSSL 3.9.2
      

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]