Hi,
OpenSSH 9.3p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via git using the
instructions at http://www.openssh.com/portable.html#cvs
At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
https://github.com/openssh/openssh-portable
Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:
$ ./configure && make tests
Live testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-unix-dev at mindrot.org. Security bugs should be reported
directly to openssh at openssh.com.
Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.
Thanks to the many people who contributed to this release.
Changes since OpenSSH 9.2
========================
New features
------------
* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
outputting SSHFP fingerprints to allow algorithm selection. bz3493
* sshd(8): add a `sshd -G` option that parses and prints the
effective configuration without attempting to load private keys
and perform other checks. This allows usage of the option before
keys have been generated and for configuration evaluation and
verification by unprivileged users.
Bugfixes
--------
* scp(1), sftp(1): fix progressmeter corruption on wide displays;
bz3534
* ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
of private keys as some systems are starting to disable RSA/SHA1
in libcrypto.
* sftp-server(8): fix a memory leak. GHPR363
* ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
compatibility code and simplify what's left.
* Fix a number of low-impact Coverity static analysis findings.
* ssh_config(5), sshd_config(5): mention that some options are not
first-match-wins.
* Rework logging for the regression tests. Regression tests will now
capture separate logs for each ssh and sshd invocation in a test.
* ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
says it should; bz3532.
* ssh(1): ensure that there is a terminating newline when adding a
new entry to known_hosts; bz3529
Portability
-----------
* sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
mmap(2), madvise(2) and futex(2) flags, removing some concerning
kernel attack surface.
* sshd(8): improve Linux seccomp-bpf sandbox for older systems;
bz3537
On Mar 10 15:33, Damien Miller wrote:> Hi, > > OpenSSH 9.3p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release.Builds (from git master) and runs fine on Cygwin, all tests pass. Thanks, Corinna
Dear Damien, Build and tests on Fedora 36 have passed. On Fri, Mar 10, 2023 at 5:35?AM Damien Miller <djm at mindrot.org> wrote:> > Hi, > > OpenSSH 9.3p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev at mindrot.org. Security bugs should be reported > directly to openssh at openssh.com. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 9.2 > ========================> > New features > ------------ > > * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when > outputting SSHFP fingerprints to allow algorithm selection. bz3493 > > * sshd(8): add a `sshd -G` option that parses and prints the > effective configuration without attempting to load private keys > and perform other checks. This allows usage of the option before > keys have been generated and for configuration evaluation and > verification by unprivileged users. > > Bugfixes > -------- > > * scp(1), sftp(1): fix progressmeter corruption on wide displays; > bz3534 > > * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability > of private keys as some systems are starting to disable RSA/SHA1 > in libcrypto. > > * sftp-server(8): fix a memory leak. GHPR363 > > * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol > compatibility code and simplify what's left. > > * Fix a number of low-impact Coverity static analysis findings. > > * ssh_config(5), sshd_config(5): mention that some options are not > first-match-wins. > > * Rework logging for the regression tests. Regression tests will now > capture separate logs for each ssh and sshd invocation in a test. > > * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage > says it should; bz3532. > > * ssh(1): ensure that there is a terminating newline when adding a > new entry to known_hosts; bz3529 > > Portability > ----------- > > * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of > mmap(2), madvise(2) and futex(2) flags, removing some concerning > kernel attack surface. > > * sshd(8): improve Linux seccomp-bpf sandbox for older systems; > bz3537 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >-- Dmitry Belyavskiy
Hi Damien, builds on OpenIndiana /hipster: * GCC 11 * OpenSSL 1.1.1t ---8<------ /pz/SFW/bin/ssh -V OpenSSH_9.2p1-snap20230314, OpenSSL 1.1.1t 7 Feb 2023 /pz/SFW/sbin/sshd -V OpenSSH_9.2, OpenSSL 1.1.1t 7 Feb 2023 ---8<------ Thanks and regards On 3/10/23 05:33, Damien Miller wrote:> Hi, > > OpenSSH 9.3p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev at mindrot.org. Security bugs should be reported > directly to openssh at openssh.com. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 9.2 > ========================> > New features > ------------ > > * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when > outputting SSHFP fingerprints to allow algorithm selection. bz3493 > > * sshd(8): add a `sshd -G` option that parses and prints the > effective configuration without attempting to load private keys > and perform other checks. This allows usage of the option before > keys have been generated and for configuration evaluation and > verification by unprivileged users. > > Bugfixes > -------- > > * scp(1), sftp(1): fix progressmeter corruption on wide displays; > bz3534 > > * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability > of private keys as some systems are starting to disable RSA/SHA1 > in libcrypto. > > * sftp-server(8): fix a memory leak. GHPR363 > > * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol > compatibility code and simplify what's left. > > * Fix a number of low-impact Coverity static analysis findings. > > * ssh_config(5), sshd_config(5): mention that some options are not > first-match-wins. > > * Rework logging for the regression tests. Regression tests will now > capture separate logs for each ssh and sshd invocation in a test. > > * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage > says it should; bz3532. > > * ssh(1): ensure that there is a terminating newline when adding a > new entry to known_hosts; bz3529 > > Portability > ----------- > > * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of > mmap(2), madvise(2) and futex(2) flags, removing some concerning > kernel attack surface. > > * sshd(8): improve Linux seccomp-bpf sandbox for older systems; > bz3537 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Predrag Ze?evi?