Home » Mailing list archives » openbsd-announce » 2006 » September » 27

Announce: OpenSSH 4.4 released

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Damien Miller <djm@...>
Subject: Announce: OpenSSH 4.4 released
Date: Wednesday, September 27, 2006 - 6:34 pm

OpenSSH 4.4 has just been released. It will be available from the

mirrors listed at http://www.openssh.com/ shortly.


OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0

implementation and includes sftp client and server support.


Once again, we would like to thank the OpenSSH community for their

continued support of the project, especially those who contributed

code or patches, reported bugs, tested snapshots and purchased

T-shirts or posters.


T-shirt, poster and CD sales directly support the project. Pictures

and more information can be found at:

        http://www.openbsd.org/tshirts.html and

	http://www.openbsd.org/orders.html


For international orders use http://https.openbsd.org/cgi-bin/order

and for European orders, use http://https.openbsd.org/cgi-bin/order.eu


Changes since OpenSSH 4.3:

============================


Security bugs resolved in this release:


 * Fix a pre-authentication denial of service found by Tavis Ormandy,

   that would cause sshd(8) to spin until the login grace time

   expired.


 * Fix an unsafe signal hander reported by Mark Dowd. The signal

   handler was vulnerable to a race condition that could be exploited

   to perform a pre-authentication denial of service. On portable

   OpenSSH, this vulnerability could theoretically lead to

   pre-authentication remote code execution if GSSAPI authentication

   is enabled, but the likelihood of successful exploitation appears

   remote.


 * On portable OpenSSH, fix a GSSAPI authentication abort that could

   be used to determine the validity of usernames on some platforms.


This release includes the following new functionality and fixes:


 * Implemented conditional configuration in sshd_config(5) using the

   "Match" directive. This allows some configuration options to be

   selectively overridden if specific criteria (based on user, group,

   hostname and/or address) are met. So far a useful subset of post-

   authentication options are supported and more are expected to be

   added in future releases.


 * Add support for Diffie-Hellman group exchange key agreement with a

   final hash of SHA256.


 * Added a "ForceCommand" directive to sshd_config(5). Similar to the

   command="..." option accepted in ~/.ssh/authorized_keys, this forces

   the execution of the specified command regardless of what the user

   requested. This is very useful in conjunction with the new "Match"

   option.


 * Add a "PermitOpen" directive to sshd_config(5). This mirrors the

   permitopen="..." authorized_keys option, allowing fine-grained

   control over the port-forwardings that a user is allowed to

   establish.


 * Add optional logging of transactions to sftp-server(8).


 * ssh(1) will now record port numbers for hosts stored in

   ~/.ssh/authorized_keys when a non-standard port has been requested.


 * Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with

   a non-zero exit code) when requested port forwardings could not be

   established.


 * Extend sshd_config(5) "SubSystem" declarations to allow the

   specification of command-line arguments.


 * Replacement of all integer overflow susceptible invocations of

   malloc(3) and realloc(3) with overflow-checking equivalents.


 * Many manpage fixes and improvements


 * New portable OpenSSH-specific features:


   - Add optional support for SELinux, controlled using the

     --with-selinux configure option (experimental)


   - Add optional support for Solaris process contracts, enabled

     using the --with-solaris-contracts configure option (experimental)

     This option will also include SMF metadata in Solaris packages

     built using the "make package" target


   - Add optional support for OpenSSL hardware accelerators (engines),

     enabled using the --with-ssl-engine configure option.


 * Bugs from http://bugzilla.mindrot.org fixed:

    #482  - readconf doesn't accept paths with spaces in them.

    #906  - syslog messages from sshd [net] lost.

    #975  - Kerberos authentication timing can leak information

            about account validity.

    #981  - Flow stop in SSH2.

    #1102 - C program 'write' with zero length hangs.

    #1129 - sshd hangs for command-only invocations due to

            fork/child signals.

    #1131 - error "buffer_append_space:alloc not supported"

    #1138 - Passphrase asked for (but ignored) if key file permissions

            too liberal..

    #1156 - Closes connection after C-c is pressed on QNX.

    #1157 - ssh-keygen doesn't handle DOS line breaks.

    #1159 - %u and %h not handled in IdentityFile.

    #1161 - scp -r fails.

    #1162 - Inappropriate sequence of syslog messages.

    #1166 - openssh-4.3p1 has some issues compiling.

    #1171 - configure can't always figure out LLONG_MAX..

    #1173 - scp reports lost connection for very large files.

    #1177 - Incorrect sshrc file location in Makefile.in.

    #1179 - sshd incorrectly rejects  connections due to IP options.

    #1181 - configure should detect when openssl-0.9.8x needs -ldl.

    #1186 - ssh tries multiple times to open unprotected keys.

    #1188 - keyboard-interactive should not allow retry after

            pam_acct_mgmt fails.

    #1193 - Open ssh will not allow changing of passwords on usernames

            greater than 8 characters..

    #1201 - Bind address information is not specified in command line

            help messages.

    #1203 - configure.ac is missing an open [.

    #1207 - sshd does not clear unsuccessful login count on

            non-interactive logins.

    #1218 - GSSAPI client code permits SPNEGO usage.

    #1221 - Banner only suppressed at log level = QUIET (used to be

            at log level < INFO).


 * Fixes to memory and file descriptor leaks reported by the Coverity

   static analysis tool


 * Fixes to inconsistent pointer checks reported by the Stanford

   SATURN tool


Thanks to everyone who has contributed patches, reported bugs and

tested releases.


Checksums:

==========


- SHA1 (openssh-4.4.tar.gz) = 2294b5e5a591420aa05ff607c1890ab622ace878

- SHA1 (openssh-4.4p1.tar.gz) = 6a52b1dee1c2c9862923c0008d201d98a7fd9d6c


Reporting Bugs:

===============


- please read http://www.openssh.com/report.html

  and http://bugzilla.mindrot.org/


OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,

Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and

Ben Lindstrom.
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
BSDCan 2004 announcement, Dan Langille, (Wed Jan 14, 4:14 pm)
OpenSSH 3.8 released, Markus Friedl, (Tue Feb 24, 12:29 pm)
Register for the USENIX AsiaBSDCon2004, Michael C. Wu, (Mon Mar 8, 4:04 am)
OpenBSD 3.5 released!, Todd C. Miller, (Fri Apr 30, 7:05 pm)
SUCON'04 - Registration Opened, Henning Brauer, (Tue Jul 27, 6:04 pm)
The Book of PF by Peter N.M. Hansteen., Austin Hook, (Mon Dec 24, 12:28 pm)
The OpenSSH project turns five years old, Damien Miller, (Mon Sep 27, 9:30 pm)
Stephanie for OpenBSD 3.6 released, br1an, (Fri Oct 15, 8:17 am)
NYCBUG : Michael Shalayeff on the hppa port and OpenBSD Hack..., Marco Scoffier, (Wed Mar 2, 1:55 am)
3.7 is released!, Theo de Raadt, (Thu May 19, 12:40 pm)
Call for Papers: Eurobsdcon2008 in Strasbourg, France, Mathieu Arnold, (Sun Mar 30, 4:52 pm)
OpenNTPD 3.7 released, Henning Brauer, (Wed Jun 8, 1:42 pm)
Portuguese User Group Meeting, Nuno Morgadinho, (Sat Jul 9, 5:42 pm)
Announce: OpenSSH 4.2 released, Damien Miller, (Thu Sep 1, 9:21 am)
OpenBSD 3.8 released November 1, 2005, Theo de Raadt, (Tue Nov 1, 2:30 am)
BSDCan 2006: Call For Papers - reminder, Dan Langille, (Thu Jan 12, 10:12 am)
BSDCan - two weeks away!, Dan Langille, (Thu Apr 27, 1:19 pm)
AsiaBSDCon 2007 - Call for Papers, Hiroki Sato, (Sun Aug 20, 11:09 am)
Announce: OpenSSH 4.4 released, Damien Miller, (Wed Sep 27, 6:34 pm)
BSDCan 2007 date change, Dan Langille, (Sun Oct 29, 11:53 am)
Announce: OpenSSH 4.6 released, Damien Miller, (Wed Mar 7, 7:10 pm)
Thu gui tu The Transport Journal Online, The Transport Journal Online..., (Wed May 21, 4:51 am)
OpenBSD 4.1 Released, Bob Beck, (Tue May 1, 10:51 am)
EuroBSDcon2007 registration is open! (plus poster-session i..., Poul-Henning Kamp, (Sun Jun 17, 5:43 am)
Announcing: The OpenBSD Foundation, Bob Beck, (Wed Jul 25, 7:44 pm)
EuroBSDCon 2007 - less than four weeks!, Simon L. Nielsen, (Tue Aug 21, 4:47 pm)
OpenBSD 4.4 released, Nov 1. Enjoy!, Theo de Raadt, (Fri Oct 31, 12:34 pm)
Announce: OpenSSH 5.2 released, Damien Miller, (Sun Feb 22, 10:23 pm)
OpenBSD/sparc64 X support, Jason Wright, (Fri Feb 8, 3:56 pm)
Revised OpenSSH Security Advisory (adv.token), Markus Friedl, (Fri Apr 26, 7:59 am)
BSD "Lightning talks" wanted for O'Reilly Conference, Brett Glass, (Wed Jun 12, 7:35 pm)
OpenBSD 4.5 released, May 1, 2009, Theo de Raadt, (Thu Apr 30, 1:07 pm)
BSDCon 2003 - Call for Papers, Alex Walker, (Mon Feb 3, 8:10 pm)
BSDCon 2003 Submission Deadline April 1, 2003, Todd C. Miller, (Thu Mar 20, 3:52 pm)
Announce: OpenSSH 5.1 released, Damien Miller, (Mon Jul 21, 8:11 pm)
(Open)BSD System Administration Training, Jeremy C. Reed, (Fri Jul 18, 8:09 pm)
BSDCon 03 reminder, Todd C. Miller, (Thu Aug 14, 3:35 pm)
OpenBSD 3.4 Released, Ted Unangst, (Thu Oct 30, 7:22 pm)
Reclaim Bank Charges: Contact us!, PPI Claims Specialists, (Sun Sep 20, 5:24 pm)