Hi, OpenSSH 5.2 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is primarily a bug-fix release, to follow the feature-focused 5.1 release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via anonymous CVS using the instructions at http://www.openssh.com/portable.html#cvs Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. Changes since OpenSSH 5.1 ======================== Security: * This release changes the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". * This release also adds countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack. We believe that these attacks are rendered infeasible by these changes. New features: * Added a -y option to ssh(1) to force logging to syslog rather than stderr, which is useful when running daemonised (ssh -f) * The sshd_config(5) ForceCommand directive now accepts commandline arguments for the internal-sftp server. * The ssh(1) ~C escape commandline now support runtime creation of dynamic (-D) port forwards. * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards. (bz#1482) * Support remote port forwarding with a listen port of '0'. This informs the server that it should dynamically allocate a listen port and report it back to the client. (bz#1003) * sshd(8) now supports setting PermitEmptyPasswords and AllowAgentForwarding in Match blocks Bug and documentation fixes * Repair a ssh(1) crash introduced in openssh-5.1 when the client is sent a zero-length banner (bz#1496) * Due to interoperability problems with certain broken SSH implementations, the eow at openssh.com and no-more-sessions at openssh.com protocol extensions are now only sent to peers that identify themselves as OpenSSH. * Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1. * Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1). * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539) * Correct fail-on-error behaviour in sftp(1) batchmode for remote stat operations. (bz#1541) * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave connections. (bz#1543) * Avoid hang in ssh(1) when attempting to connect to a server that has MaxSessions=0 set. * Multiple fixes to sshd(8) configuration test (-T) mode * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418, 1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540 * Many manual page improvements. -d
On Feb 16 15:32, Damien Miller wrote:> Hi, > > OpenSSH 5.2 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is primarily a bug-fix > release, to follow the feature-focused 5.1 release.Builds and runs fine on Cygwin 1.7. Since I won't support any new OpenSSH package for Cygwin 1.5, and since Cygwin 1.7 will stop supporting Windows 9x, I'm wondering if it's ok to strip all Windows 9x support, as well as the *really* old Cygwin version considerations from OpenSSH at this point. It will strip some extra Cygwin-only code from portable SSH. Or, maybe we should do that right after the 5.2p1 release? Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat
Hi, On Mon, Feb 16, 2009 at 03:32:26PM +1100, Damien Miller wrote:> OpenSSH 5.2 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is primarily a bug-fix > release, to follow the feature-focused 5.1 release.I've checked out the CVS snapshot, autoreconf / configure / make'd things, and it all built fine. NetBSD 3.1 on Sparc64. "make tests" fails after a while, though, with these last lines: ... mm_send_fd: sendmsg(0): Invalid argument muxclient: send fds failed Falling back to non-multiplexed connection mm_receive_fd: recvmsg: expected received 1 got 0 muxserver_accept_control: failed to receive fd 0 from slave ssh: Could not resolve hostname otherhost: No address associated with hostname exit code (with sleep) mismatch for protocol : 255 != 44 Master running (pid=15159) Exit request sent. failed connection multiplexing *** Error code 1 "should it be doing this"? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
On 02/16/2009 15:32, Damien Miller wrote:> Hi, > > OpenSSH 5.2 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is primarily a bug-fix > release, to follow the feature-focused 5.1 release.[...]> $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev at mindrot.org.On SCO OSR6 w/mp3 installed, openssh-SNAP-20090216.tar.gz, 'make tests' fails with: run test key-options.sh ... key option proto 1 command="echo bar" key option proto 1 no-pty,command="echo bar" key option proto 2 command="echo bar" key option proto 2 no-pty,command="echo bar" key option proto 1 no-pty key option proto 2 no-pty key option proto 1 environment key option proto 2 environment key option proto 1 from="127.0.0.1" key option proto 1 from="127.0.0.1" not allowed but should be key option proto 1 from="127.0.0.0/8" key option proto 1 from="127.0.0.0/8" not allowed but should be key option proto 2 from="127.0.0.1" key option proto 2 from="127.0.0.1" not allowed but should be key option proto 2 from="127.0.0.0/8" key option proto 2 from="127.0.0.0/8" not allowed but should be failed key options make[1]: *** [t-exec] Error 1 make[1]: Leaving directory `/u1/src/rac/openssh/csv/openssh/regress' make: *** [tests] Error 2 I won't have time to investigate for several days. If anyone has suggestions they would be appreciated. -- Roger Cornelius rac at tenzing.org
Compiled and tested openssh-SNAP-20090217.tar.gz on Slackware-12.0.0. All tests succeeded. Thanks, Andy Dr Andy Tsouladze Sr Unix/Storage SysAdmin
Just to make sure that the oldies are covered...
All tests completed and passed on Solaris 8 and Fedora 7. Solaris 8 required the
--without-zlib-version-check flag to configure due to having merely patched the
long ago vulnerable version of zlib without updating the version number. No
configure flags were used otherwise.
Bill Knox
Lead Infosec Engineer/Scientist
The MITRE Corporation
-----Original Message-----
From: openssh-unix-dev-bounces+wknox=mitre.org at mindrot.org
[mailto:openssh-unix-dev-bounces+wknox=mitre.org at mindrot.org] On Behalf Of
Damien Miller
Sent: Sunday, February 15, 2009 11:32 PM
To: openssh-unix-dev at mindrot.org
Subject: Call for testing: openssh-5.2
Hi,
OpenSSH 5.2 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is primarily a bug-fix
release, to follow the feature-focused 5.1 release.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via anonymous CVS using the
instructions at http://www.openssh.com/portable.html#cvs
Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:
$ ./configure && make tests
Live testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-unix-dev at mindrot.org.
Below is a summary of changes. More detail may be found in the
ChangeLog in the portable OpenSSH tarballs.
Thanks to the many people who contributed to this release.
Changes since OpenSSH 5.1
========================
Security:
* This release changes the default cipher order to prefer the AES CTR
modes and the revised "arcfour256" mode to CBC mode ciphers that
are
susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".
* This release also adds countermeasures to mitigate CPNI-957037-style
attacks against the SSH protocol's use of CBC-mode ciphers. Upon
detection of an invalid packet length or Message Authentication
Code, ssh/sshd will continue reading up to the maximum supported
packet length rather than immediately terminating the connection.
This eliminates most of the known differences in behaviour that
leaked information about the plaintext of injected data which formed
the basis of this attack. We believe that these attacks are rendered
infeasible by these changes.
New features:
* Added a -y option to ssh(1) to force logging to syslog rather than
stderr, which is useful when running daemonised (ssh -f)
* The sshd_config(5) ForceCommand directive now accepts commandline
arguments for the internal-sftp server.
* The ssh(1) ~C escape commandline now support runtime creation of
dynamic (-D) port forwards.
* Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards.
(bz#1482)
* Support remote port forwarding with a listen port of '0'. This
informs the server that it should dynamically allocate a listen
port and report it back to the client. (bz#1003)
* sshd(8) now supports setting PermitEmptyPasswords and
AllowAgentForwarding in Match blocks
Bug and documentation fixes
* Repair a ssh(1) crash introduced in openssh-5.1 when the client is
sent a zero-length banner (bz#1496)
* Due to interoperability problems with certain
broken SSH implementations, the eow at openssh.com and
no-more-sessions at openssh.com protocol extensions are now only sent
to peers that identify themselves as OpenSSH.
* Make ssh(1) send the correct channel number for
SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
avoid triggering 'Non-public channel' error messages on sshd(8) in
openssh-5.1.
* Avoid printing 'Non-public channel' warnings in sshd(8), since the
ssh(1) has sent incorrect channel numbers since ~2004 (this reverts
a behaviour introduced in openssh-5.1).
* Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)
* Correct fail-on-error behaviour in sftp(1) batchmode for remote
stat operations. (bz#1541)
* Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
connections. (bz#1543)
* Avoid hang in ssh(1) when attempting to connect to a server that
has MaxSessions=0 set.
* Multiple fixes to sshd(8) configuration test (-T) mode
* Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418,
1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540
* Many manual page improvements.
-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
On Mon, 16 Feb 2009, Damien Miller wrote:>Running the regression tests supplied with Portable OpenSSH does not >require installation and is a simply: > >$ ./configure && make testsboth tests with: http://www.mindrot.org/openssh_snap/openssh-SNAP-20090219.tar.gz gcc 3.4.3 OpenSSL 0.9.8a (with security fixes) SPARC VII, Solaris Nevada 107 (01/2009), all tests passed i386, Solaris Nevada 108 (02/2009), all test passed -- Jan Pechanec
System: AIX 5.2 Result: all tests passed System: AIX 5.3 Result: all tests passed on both systems the test "agent-getpeereid.sh" was skipped: need SUDO to switch to uid nobody frank ___________________________________________________________ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
On Sun, Feb 15, 2009 at 22:32:26 -0600, Damien Miller wrote:> Hi, > > OpenSSH 5.2 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is primarily a bug-fix > release, to follow the feature-focused 5.1 release. >The 20090220 snapshot builds and tests successfully against the following platforms: Red Hat Enterprise Linux 4u7 (x86_64), gcc 3.4.6 Red Hat Enterprise Linux 5.3 (x86_64), gcc 4.1.2 SuSE Linux Enterprise Server 10u2 (x86_64), gcc 4.1.2 SuSE Linux Enterprise Server 10u1 (IA64), gcc 4.1.2 Solaris 9 (SPARC), Forte 7 C Solaris 9 (SPARC), gcc 3.3.1 -- Iain Morgan
Iain Morgan wrote:> > OpenSSH 5.2 is almost ready for release, so we would appreciate > > testing on as many platforms and systems as possible. > > The 20090220 snapshot builds and tests successfully against the > following platforms: > > Red Hat Enterprise Linux 4u7 (x86_64), gcc 3.4.6 > Red Hat Enterprise Linux 5.3 (x86_64), gcc 4.1.2 > SuSE Linux Enterprise Server 10u2 (x86_64), gcc 4.1.2 > SuSE Linux Enterprise Server 10u1 (IA64), gcc 4.1.2all tests passed also on 32-bit x86, gcc (Gentoo 4.3.2-r2 p1.5, pie-10.1.5) 4.3.2 //Peter