OpenSSH 5.8 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Changes since OpenSSH 5.7 ======================== Security: * Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6 and found by Mateusz Kocielski. Legacy certificates signed by OpenSSH 5.6 or 5.7 included data from the stack in place of a random nonce field. The contents of the stack do not appear to contain private data at this point, but this cannot be stated with certainty for all platform, library and compiler combinations. In particular, there exists a risk that some bytes from the privileged CA key may be accidentally included. A full advisory for this issue is available at: http://www.openssh.com/txt/legacy-cert.adv Portable OpenSSH Bugfixes: * Fix compilation failure when enableing SELinux support. * Do not attempt to call SELinux functions when SELinux is disabled. bz#1851 Checksums: ========= - SHA1 (openssh-5.8.tar.gz) = 205dece2c8b41c69b082eb65320d359987aae25b - SHA1 (openssh-5.8p1.tar.gz) = adebb2faa9aba2a3a3c8b401b2b19677ab53f0de Reporting Bugs: ============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
Damien Miller <djm at cvs.openbsd.org> wrote: > Portable OpenSSH Bugfixes: > > * Fix compilation failure when enableing SELinux support. > > * Do not attempt to call SELinux functions when SELinux is disabled. > bz#1851 Thanks for fixing this. Unfortunately, it went wrong somehow. If configured on Linux (Fedora 14) with SELinux, compilation fails: gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -fstack-protector-all -I. -I.. -I. -I./.. -I/usr/local/ssl/include -DHAVE_CONFIG_H -c port-linux.c port-linux.c: In function ?ssh_selinux_setfscreatecon?: port-linux.c:212:21: warning: unused variable ?context? port-linux.c: At top level: port-linux.c:220:2: error: expected identifier or ?(? before ?if? port-linux.c:222:1: error: expected identifier or ?(? before ?}? token make[1]: *** [port-linux.o] Error 1 make[1]: Leaving directory `/usr/local/src/openssh-5.8p1/openbsd-compat' make: *** [openbsd-compat/libopenbsd-compat.a] Error 2 This patch fixes the problem: --- ./openbsd-compat/port-linux.c_orig 2011-02-04 01:43:08.000000000 +0100 +++ ./openbsd-compat/port-linux.c 2011-02-04 03:06:21.060012941 +0100 @@ -213,7 +213,7 @@ if (!ssh_selinux_enabled()) return; - if (path == NULL) + if (path == NULL) { setfscreatecon(NULL); return; } I really hope that you don't hate me for all this Linux weirdness. ;-) Greetings, Andreas
Maybe Matching Threads
- [v1 PATCH 0/1] Review request for a memory leak fix for openssh
- [Bug 1851] New: ssh_selinux_setfscreatecon segfaults if SELinux support is compiled in but is disabled at run-time
- ChrootDirectory fails if compiled with SELinux support (whether or not using SELinux)
- openssh-5.8p1 does not compille with --with-selinux
- [patch] the memory which is allocated by matchpathcon should be freed after it is useless