Home » Mailing list archives » openbsd-announce » 2009 » February » 23

Announce: OpenSSH 5.2 released

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Damien Miller <djm@...>
To: <announce@...>
Subject: Announce: OpenSSH 5.2 released
Date: Sunday, February 22, 2009 - 10:23 pm

OpenSSH 5.2 has just been released. It will be available from the

mirrors listed at http://www.openssh.com/ shortly.


OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0

implementation and includes sftp client and server support.


We have also recently completed another Internet SSH usage scan, the

results of which may be found at http://www.openssh.com/usage.html


Once again, we would like to thank the OpenSSH community for their

continued support of the project, especially those who contributed

code or patches, reported bugs, tested snapshots or donated to the

project. More information on donations may be found at:

http://www.openssh.com/donations.html


The focus of this release has been on bugfixes as the previous

openssh-5.1 release introduced many new features and made some

invasive changes.


Changes since OpenSSH 5.1

=========================


Security:


 * This release changes the default cipher order to prefer the AES CTR

   modes and the revised "arcfour256" mode to CBC mode ciphers that are

   susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".


 * This release also adds countermeasures to mitigate CPNI-957037-style

   attacks against the SSH protocol's use of CBC-mode ciphers. Upon

   detection of an invalid packet length or Message Authentication

   Code, ssh/sshd will continue reading up to the maximum supported

   packet length rather than immediately terminating the connection.

   This eliminates most of the known differences in behaviour that

   leaked information about the plaintext of injected data which formed

   the basis of this attack. We believe that these attacks are rendered

   infeasible by these changes.


New features:


 * Added a -y option to ssh(1) to force logging to syslog rather than

   stderr, which is useful when running daemonised (ssh -f)


 * The sshd_config(5) ForceCommand directive now accepts commandline

   arguments for the internal-sftp server.


 * The ssh(1) ~C escape commandline now support runtime creation of

   dynamic (-D) port forwards.


 * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards.

   (bz#1482)


 * Support remote port forwarding with a listen port of '0'. This

   informs the server that it should dynamically allocate a listen

   port and report it back to the client. (bz#1003)


 * sshd(8) now supports setting PermitEmptyPasswords and

   AllowAgentForwarding in Match blocks


Bug and documentation fixes


 * Repair a ssh(1) crash introduced in openssh-5.1 when the client is

   sent a zero-length banner (bz#1496)


 * Due to interoperability problems with certain

   broken SSH implementations, the eow@openssh.com and

   no-more-sessions@openssh.com protocol extensions are now only sent

   to peers that identify themselves as OpenSSH.


 * Make ssh(1) send the correct channel number for

   SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to

   avoid triggering 'Non-public channel' error messages on sshd(8) in

   openssh-5.1.


 * Avoid printing 'Non-public channel' warnings in sshd(8), since the

   ssh(1) has sent incorrect channel numbers since ~2004 (this reverts

   a behaviour introduced in openssh-5.1).


 * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)


 * Correct fail-on-error behaviour in sftp(1) batchmode for remote

   stat operations. (bz#1541)


 * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave

   connections. (bz#1543)


 * Avoid hang in ssh(1) when attempting to connect to a server that

   has MaxSessions=0 set.


 * Multiple fixes to sshd(8) configuration test (-T) mode


 * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418,

   1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540


 * Many manual page improvements.


Checksums:

==========


 - SHA1 (openssh-5.2.tar.gz) = 260074ed466e95f054ac05a4406f613d08575217

 - SHA1 (openssh-5.2p1.tar.gz) = 8273a0237db98179fbdc412207ff8eb14ff3d6de


Reporting Bugs:

===============


- Please read http://www.openssh.com/report.html

  Security bugs should be reported directly to openssh@openssh.com


OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,

Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and

Ben Lindstrom.
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
BSDCan 2004 announcement, Dan Langille, (Wed Jan 14, 4:14 pm)
OpenSSH 3.8 released, Markus Friedl, (Tue Feb 24, 12:29 pm)
Register for the USENIX AsiaBSDCon2004, Michael C. Wu, (Mon Mar 8, 4:04 am)
OpenBSD 3.5 released!, Todd C. Miller, (Fri Apr 30, 7:05 pm)
SUCON'04 - Registration Opened, Henning Brauer, (Tue Jul 27, 6:04 pm)
The Book of PF by Peter N.M. Hansteen., Austin Hook, (Mon Dec 24, 12:28 pm)
The OpenSSH project turns five years old, Damien Miller, (Mon Sep 27, 9:30 pm)
Stephanie for OpenBSD 3.6 released, br1an, (Fri Oct 15, 8:17 am)
NYCBUG : Michael Shalayeff on the hppa port and OpenBSD Hack..., Marco Scoffier, (Wed Mar 2, 1:55 am)
3.7 is released!, Theo de Raadt, (Thu May 19, 12:40 pm)
Call for Papers: Eurobsdcon2008 in Strasbourg, France, Mathieu Arnold, (Sun Mar 30, 4:52 pm)
OpenNTPD 3.7 released, Henning Brauer, (Wed Jun 8, 1:42 pm)
Portuguese User Group Meeting, Nuno Morgadinho, (Sat Jul 9, 5:42 pm)
Announce: OpenSSH 4.2 released, Damien Miller, (Thu Sep 1, 9:21 am)
OpenBSD 3.8 released November 1, 2005, Theo de Raadt, (Tue Nov 1, 2:30 am)
BSDCan 2006: Call For Papers - reminder, Dan Langille, (Thu Jan 12, 10:12 am)
BSDCan - two weeks away!, Dan Langille, (Thu Apr 27, 1:19 pm)
AsiaBSDCon 2007 - Call for Papers, Hiroki Sato, (Sun Aug 20, 11:09 am)
Announce: OpenSSH 4.4 released, Damien Miller, (Wed Sep 27, 6:34 pm)
BSDCan 2007 date change, Dan Langille, (Sun Oct 29, 11:53 am)
Announce: OpenSSH 4.6 released, Damien Miller, (Wed Mar 7, 7:10 pm)
Thu gui tu The Transport Journal Online, The Transport Journal Online..., (Wed May 21, 4:51 am)
OpenBSD 4.1 Released, Bob Beck, (Tue May 1, 10:51 am)
EuroBSDcon2007 registration is open! (plus poster-session i..., Poul-Henning Kamp, (Sun Jun 17, 5:43 am)
Announcing: The OpenBSD Foundation, Bob Beck, (Wed Jul 25, 7:44 pm)
EuroBSDCon 2007 - less than four weeks!, Simon L. Nielsen, (Tue Aug 21, 4:47 pm)
OpenBSD 4.4 released, Nov 1. Enjoy!, Theo de Raadt, (Fri Oct 31, 12:34 pm)
Announce: OpenSSH 5.2 released, Damien Miller, (Sun Feb 22, 10:23 pm)
OpenBSD/sparc64 X support, Jason Wright, (Fri Feb 8, 3:56 pm)
Revised OpenSSH Security Advisory (adv.token), Markus Friedl, (Fri Apr 26, 7:59 am)
BSD "Lightning talks" wanted for O'Reilly Conference, Brett Glass, (Wed Jun 12, 7:35 pm)
OpenBSD 4.5 released, May 1, 2009, Theo de Raadt, (Thu Apr 30, 1:07 pm)
BSDCon 2003 - Call for Papers, Alex Walker, (Mon Feb 3, 8:10 pm)
BSDCon 2003 Submission Deadline April 1, 2003, Todd C. Miller, (Thu Mar 20, 3:52 pm)
Announce: OpenSSH 5.1 released, Damien Miller, (Mon Jul 21, 8:11 pm)
(Open)BSD System Administration Training, Jeremy C. Reed, (Fri Jul 18, 8:09 pm)
BSDCon 03 reminder, Todd C. Miller, (Thu Aug 14, 3:35 pm)
OpenBSD 3.4 Released, Ted Unangst, (Thu Oct 30, 7:22 pm)
Reclaim Bank Charges: Contact us!, PPI Claims Specialists, (Sun Sep 20, 5:24 pm)