Contributed by Peter N. M. Hansteen on from the SSH! listen to the sound of bugs fixed dept.
djm@
) announced the availability of the new OpenSSH version 9.8:
OpenSSH 9.8 has just been released. This release includes a fix for a critical race condition in sshd that could be exploited for remote code execution so you should definitely patch or upgrade. It also contains a fix for a minor issue in ssh that saw the recently-added ObscureKeystrokeTiming feature work the opposite way as intended.There are some new features too. Please see the release notes at https://openssh.com/releasenotes.html for more details
(Comments are closed)
By Damien Miller (djm) djm@mindrot.org on
Comments
By grey (grey) on http://www.artkiver.com
I appreciate Qualys' in depth bug explorations and plain text formatting.
In downstreaming news, hopefully this PR for MacPorts (https://github.com/macports/macports-ports/pull/24754) will get merged soon, though I'll be the first to admit I don't think I have ever properly wrapped my head around GitHub's browser based code review tools.
At least the proof of concept was for Linux and OpenBSD doesn't appear to be vulnerable!
Hopefully macOS and other OSes may also be immune? Though it's my general observation that when an exploit is found, others may refactor it. The tidbit in Qualys' write up about this being related to something Mark Dowd had reported back in 2006 was fascinating contextually in such regards.
Testing locally at least, 9.8p1 is working great!