We have just activated pre-orders for the OpenBSD 3.6 release, which

will be released and start shipping Nov 1, 2004.  As always, those

who pre-order will receive their CDs first.
There is a new 3-CD set and a new poster which can be ordered from:
	http://www.openbsd.org/orders.html
An OpenBSD 3.6 T-Shirt will be added in the coming weeks.
OpenBSD 3.6 contains numerous improvements over previous releases--

most notably SMP support on i386 and amd64.  For a summary of major

changes in 3.6, see:
        http://www.openbsd.org/36.html
(Please bear with us, since this document is actively being worked

on by the developers :)
A much more detailed summary is also available:
        http://www.openbsd.org/plus.html
Please keep in mind that this project is completely funded by CD sales

and donations from our user community.
Thank you.

Due to the release of OpenBSD 3.6, the 3.4-STABLE branch will be

out of regular maintainance starting today. There will be

NO MORE fixes commited to this branch nor new patches.
People relying on 3.4-STABLE (or older releases even) are strongly

advised to upgrade to a more recent release (preferrably 3.6)

as soon as possible.

OpenSSH 4.3 has just been released. It will be available from the

mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0

implementation and includes sftp client and server support.
We have also recently completed another Internet SSH usage scan, the

results of which may be found at http://www.openssh.com/usage.html
Once again, we would like to thank the OpenSSH community for their

continued support of the project, especially those who contributed

code or patches, reported bugs, tested snapshots and purchased

T-shirts or posters.
T-shirt, poster and CD sales directly support the project. Pictures

and more information can be found at:

        http://www.openbsd.org/tshirts.html and

	http://www.openbsd.org/orders.html
For international orders use http://https.openbsd.org/cgi-bin/order

and for European orders, use http://https.openbsd.org/cgi-bin/order.eu
Changes since OpenSSH 4.2:

============================ 
Security bugs resolved in this release:
 * CVE-2006-0225: scp (as does rcp, on which it is based) invoked a

   subshell to perform local to local, and remote to remote copy

   operations. This subshell exposed filenames to shell expansion

   twice; allowing a local attacker to create filenames containing

   shell metacharacters that, if matched by a wildcard, could lead

   to execution of attacker-specified commands with the privilege of

   the user running scp (Bugzilla #1094)
This is primarily a bug-fix release, only one new feature has been

added: 
 * Add support for tunneling arbitrary network packets over a

   connection between an OpenSSH client and server via tun(4) virtual

   network interfaces. This allows the use of OpenSSH (4.3+) to create

   a true VPN between the client and server providing real network

   connectivity at layer 2 or 3. This feature is experimental and is

   currently supported on OpenBSD, Linux, NetBSD (IPv4 only) and

   FreeBSD. Other operating systems with tun/...
[ message continues ]

OpenSSH 4.5 has just been released. It will be available from the

mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0

implementation and includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their

continued support of the project, especially those who contributed

code or patches, reported bugs, tested snapshots and purchased

T-shirts or posters.
T-shirt, poster and CD sales directly support the project. Pictures

and more information can be found at:

        http://www.openbsd.org/tshirts.html and

	http://www.openbsd.org/orders.html
For international orders use http://https.openbsd.org/cgi-bin/order

and for European orders, use http://https.openbsd.org/cgi-bin/order.eu
Changes since OpenSSH 4.4:

============================
This is a bugfix only release. No new features have been added.
Security bugs resolved in this release:
 * Fix a bug in the sshd privilege separation monitor that weakened its

   verification of successful authentication. This bug is not known to

   be exploitable in the absence of additional vulnerabilities.
This release includes the following non-security fixes:
 * Several compilation fixes for portable OpenSSH
 * Fixes to Solaris SMF/process contract support (bugzilla #1255)
Thanks to everyone who has contributed patches, reported bugs and

tested releases.
Checksums:

==========
- SHA1 (openssh-4.5.tar.gz) = def3de1557181062d788695b9371d02635af39fb

- SHA1 (openssh-4.5p1.tar.gz) = 2eefcbbeb9e4fa16fa4500dec107d1a09d3d02d7
Reporting Bugs:

===============
- please read http://www.openssh.com/report.html

  and http://bugzilla.mindrot.org/
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,

Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and

Ben Lindstrom.

Hi,
There was an error in the original advisory. The estimate of 32768

attempts to carry out a successful attack is incorrect. The correct

estimate is 11356 attempts. A revised version is now available at:

http://www.openssh.com/txt/cbc.adv
The advisory and its recommendations are otherwise unchanged.
-d

OpenSSH 5.0 has just been released. It will be available from the

mirrors listed at http://www.openssh.com/ shortly.
We apologise for any inconvenience resulting from this release

being made so shortly after 4.9. Unfortunately we only learned of

the below security issue from the public CVE report. The Debian

OpenSSH maintainers responsible for handling the initial report of

this bug failed to report it via either the private OpenSSH security

contact list (openssh@openssh.com) or the portable OpenSSH Bugzilla

(http://bugzilla.mindrot.org/).
We ask anyone wishing to report security bugs in OpenSSH to please use

the openssh@openssh.com contact and to practice responsible disclosure.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0

implementation and includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their

continued support of the project, especially those who contributed

code or patches, reported bugs, tested snapshots and purchased

T-shirts or posters.
T-shirt, poster and CD sales directly support the project. Pictures

and more information can be found at:

        http://www.openbsd.org/tshirts.html and

	http://www.openbsd.org/orders.html
For international orders use http://https.openbsd.org/cgi-bin/order

and for European orders, use http://https.openbsd.org/cgi-bin/order.eu
Changes since OpenSSH 4.9:

============================
Security:
 * CVE-2008-1483: Avoid possible hijacking of X11-forwarded connections

   by refusing to listen on a port unless all address families bind

   successfully.
Checksums:

==========
 - SHA1 (openssh-5.0.tar.gz) = 729fb3168edf6a68408223b5ed82e59d13b57c47

 - SHA1 (openssh-5.0p1.tar.gz) = 121cea3a730c0b0353334b6f46f438de30ab4928
Reporting Bugs:

===============
- please read http://www.openssh.com/report.html

  and http://bugzilla.mindrot.org/
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,

Kevin Steves, Damien Miller, Darren Tucke...
[ message continues ]

------------------------------------------------------------------------

- OpenBSD 4.2 RELEASED -------------------------------------------------
Nov 1, 2007.
We are pleased to announce the official release of OpenBSD 4.2.

This is our 22nd release on CD-ROM (and 23rd via FTP).  We remain

proud of OpenBSD's record of more than ten years with only two remote

holes in the default install.
We dedicate this release to the memory of long-time developer

Jun-ichiro "itojun" Itoh Hagino, who focused his life on IPv6

deployment for everyone.  Without his BSD and IETF participation, IPv6

would not be where it is today.  Only now people are becoming aware of

his numerous contributions because he took credit for much less than

he accomplished.  The developers in our project will all miss him.
As in our previous releases, 4.2 provides significant improvements,

including new features, in nearly all areas of the system:
- New/extended platforms:

    o OpenBSD/sparc64.

      The PCIe UltraSPARC IIIi machines like the V215 and V245 are

      now supported.

    o OpenBSD/hppa.

      Four-digit B/C/J-class workstations like the B2000, C3750 or J6750

      are now supported (in 32-bit mode).

    o OpenBSD/alpha.

      Add support in the alpha platform for a couple of new Alpha models,

      AlphaServer 1200 and 4100.
- Platforms skipped this release:

    o OpenBSD/sgi.

      This architecture will not be released this time. 
- Install/Upgrade process changes:

    o New install method!!

      For the most popular architectures, the FTP sites have a ~200MB

      install ISO file, which contains the base set, permitting

      non-network installs.

    o Allow the specification of an NTP server during installation.

    o Allow no fsck'ing of clean non-root partitions during upgrade.

    o Check for INSTALL.<arch> to confirm sets are for the correct

      architecture.

    o Create and format the MSDOS partition for macppc installs

      in a more flexible and reliable way. 
-...
[ message continues ]

1. Systems affected:
	All versions of OpenSSH between 2.0 and 3.0.2 contain

	an off-by-one error in the channel code.
	OpenSSH 3.1 and later are not affected.
2. Impact:
        This bug can be exploited locally by an authenticated user

        logging into a vulnerable OpenSSH server or by a malicious

        SSH server attacking a vulnerable OpenSSH client.
3. Solution:
	Upgrade to OpenSSH 3.1 or apply the following patch.
4. Credits:
	This bug was discovered by Joost Pol <joost@pine.nl>
Appendix:
Index: channels.c

===================================================================

RCS file: /cvs/src/usr.bin/ssh/channels.c,v

retrieving revision 1.170

retrieving revision 1.171

diff -u -r1.170 -r1.171

--- channels.c	27 Feb 2002 21:23:13 -0000	1.170

+++ channels.c	4 Mar 2002 19:37:58 -0000	1.171

@@ -146,7 +146,7 @@

 {

 	Channel *c;
-	if (id < 0 || id > channels_alloc) {

+	if (id < 0 || id >= channels_alloc) {

 		log("channel_lookup: %d: bad id", id);

 		return NULL;

 	}

We are happy to announce that 4.6-stable ports will soon be receiving

security updates and fixes.
Please note that this also marks the end of updates to 4.5-stable

ports, as we are supporting the presently-available release only.

------------------------------------------------------------------------

- OpenBSD 3.1 RELEASED -------------------------------------------------
May 19, 2002.
It is our pleasure to officially announce the release of OpenBSD

3.1.  This year OpenBSD turns 7 years old.  In celebration of this

milestone, we invite you to enjoy our 11th release on CD-ROM (and

12th via FTP).  We continue to celebrate OpenBSD's record of four

years without a remote hole in the default install.  Just like all

of our previous releases, 3.1 provides significant improvements,

including new features, in nearly all areas of the system:
- Improved hardware support             (http://www.OpenBSD.org/plat.html)
  o Much improved support for UltraSPARC hardware.  More models are

    supported and X11 works on all supported models.
  o Improved 802.11b support, including a host-based access point

    mode for Prism chipsets (i.e. wireless bridging).  It is now

    possible to completely configure a wireless interface using ifconfig.
  o The hardware crypto drivers now work on all PCI platforms.
  o Major macppc improvements including a brand new pmap module

    that cut 'make build' time by over an hour.
  o Tekram TRM-S1040 based PCI SCSI controllers are now supported.
  o Creative SB Live! cards are now supported.
  o HiFn 7811 is now supported by the hifn driver.  A long-standing

    bug causing PCI aborts has also been fixed in the hifn driver.
  o Kernel support for Altivec on the macppc platform.
- Major improvements in the pf packet filter:
  o Significant performance improvements due to additional optimizations

    based on detailed benchmarks.  Filter rule evaluation cost

    (which occurs for every packet that isn't passed statefully)

    is reduced by about 70%.
  o Stateful filtering (including address translation and redirection)

    for arbitrary IP protocols other than TCP, UDP and ICMP, for

    instance GRE (used for IPsec/PPTP).
  o Configurable memory limits (preven...
[ message continues ]

There is an upcoming OpenSSH vulnerability that we're working on with

ISS.  Details will be published early next week.
However, I can say that when OpenSSH's sshd(8) is running with priv

seperation, the bug cannot be exploited.
OpenSSH 3.3p was released a few days ago, with various improvements

but in particular, it significantly improves the Linux and Solaris

support for priv sep.  However, it is not yet perfect.  Compression is

disabled on some systems, and the many varieties of PAM are causing

major headaches.
However, everyone should update to OpenSSH 3.3 immediately, and enable

priv seperation in their ssh daemons, by setting this in your

/etc/ssh/sshd_config file:
	UsePrivilegeSeparation yes
Depending on what your system is, privsep may break some ssh

functionality.  However, with privsep turned on, you are immune from

at least one remote hole.  Understand?
3.3 does not contain a fix for this upcoming bug.
If priv seperation does not work on your operating system, you need to

work with your vendor so that we get patches to make it work on your

system.  Our developers are swamped enough without trying to support

the myriad of PAM and other issues which exist in various systems.

You must call on your vendors to help us.
Basically, OpenSSH sshd(8) is something like 27000 lines of code.  A

lot of that runs as root.  But when UsePrivilegeSeparation is enabled,

the daemon splits into two parts.  A part containing about 2500 lines

of code remains as root, and the rest of the code is shoved into a

chroot-jail without any privs.  This makes the daemon less vulnerable

to attack.
We've been trying to warn vendors about 3.3 and the need for privsep,

but they really have not heeded our call for assistance.  They have

basically ignored us.  Some, like Alan Cox, even went further stating

that privsep was not being worked on because "Nobody provided any info

which proves the problem, and many people dont trust you theo" and

suggested I "might be feeding everyone a trojan" ...
[ message continues ]

OpenSSH 3.6.1 has just been released. It will be available from the

mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0

implementation and includes sftp client and server support.
We would like to thank the OpenSSH community for their continued

support to the project, especially those who contributed source and

bought T-shirts or posters.
We have a new design of T-shirt available, more info on

	http://www.openbsd.org/tshirts.html#18
For international orders use http://https.openbsd.org/cgi-bin/order

and for European orders, use http://https.openbsd.org/cgi-bin/order.eu
Changes since OpenSSH 3.6:

========================== 
* The 'kex guesses' bugfix from OpenSSH 3.6 triggers a bug

  in a few other SSH v2 implementations and causes connections to

  stall.  OpenSSH 3.6.1 disables this bugfix when interoperating

  with these implementations.
Changes between OpenSSH 3.5 and OpenSSH 3.6:

============================================
* RSA blinding is now used by ssh(1), sshd(8) and ssh-agent(1).

  in order to avoid potential timing attacks against the RSA keys.

  Older versions of OpenSSH have been using RSA blinding in

  ssh-keysign(1) only.
  Please note that there is no evidence that the SSH protocol is

  vulnerable to the OpenSSL/TLS timing attack described in

        http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf
* ssh-agent(1) optionally requires user confirmation if a key gets

  used, see '-c' in ssh-add(1).
* sshd(8) now handles PermitRootLogin correctly when UsePrivilegeSeparation

  is enabled.
* sshd(8) now removes X11 cookies when a session gets closed.
* ssh-keysign(8) is disabled by default and only enabled if the

  new EnableSSHKeysign option is set in the global ssh_config(5)

  file.
* ssh(1) and sshd(8) now handle 'kex guesses' correctly (key exchange

  guesses).
* ssh(1) no longer overwrites SIG_IGN.  This matches behaviour from

  rsh(1) and is used by backup to...
[ message continues ]

I've set up a completely unofficial BSDCon Wiki for attendees of next

week's Usenix BSD Conference in San Mateo.  Wikis are collaborative

websites, allowing anyone to edit and add pages -- tips for good areas

to eat, impromptu BoFs, social events, links to papers, and so on.

Other conferences have found these to be an excellent way for attendees

to share information, and I hope it will prove useful for this

conference too.
Please visit:
     http://bsdcon.kwiki.org/
and feel free to add information you think will be useful.
N