Home

Tools: OpenSSH 3.5

Submitted by Jeremy
on October 15, 2002 - 7:38pm

Markus Friedl announced the release of OpenSSH 3.5 today, the first release since version 3.4 which was made available in late June after the discovery of an input validation error [story]. This error resulted in the "One remote hole in the default install, in nearly 6 years!" referred to on the OpenBSD home page [story]. OpenSSH 3.4 has had no known security holes.

OpenSSH 3.5 is available for download now, and will also be part of the upcoming OpenBSD 3.2 release available on November 1'st. Read on for the release announcement, detailing what's new in this verison.

From: Markus Friedl
To: announce AT openbsd.org
Subject: OpenSSH 3.5 released
Date: Tue, 15 Oct 2002 20:58:07 +0200

OpenSSH 3.5 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued
support and encouragement.

Changes since OpenSSH 3.4:
============================ 

* Improved support for Privilege Separation (Portability, Kerberos,
  PermitRootLogin handling).

* ssh(1) prints out all known host keys for a host if it receives an
  unknown host key of a different type.

* Fixed AES/Rijndael EVP integration for OpenSSL < 0.9.7 (caused
  problems with bounds checking patches for gcc).

* ssh-keysign(8) is disabled by default and only enabled if the
  HostbasedAuthentication option is enabled in the global ssh_config(5)
  file.

* ssh-keysign(8) uses RSA blinding in order to avoid timing attacks
  against the RSA host key.

* A use-after-free bug was fixed in ssh-keysign(8).  This bug
  broke hostbased authentication on several platforms.

* ssh-agent(1) is now installed setgid in order to avoid ptrace(2)
  attacks.

* ssh-agent(1) now restricts the access with getpeereid(2) (or
  equivalent, where available).

* sshd(8) no longer uses the ASN.1 parsing code from libcrypto when
  verifying RSA signatures.

* sshd(8) now sets the SSH_CONNECTION environment variable.

* Enhanced "ls" support for the sftp(1) client, including globbing and
  detailed listings.

* ssh(1) now always falls back to uncompressed sessions, if the
  server does not support compression.

* The default behavior of sshd(8) with regard to user settable
  environ variables has changed:  the new option PermitUserEnvironment
  is disabled by default, see sshd_config(5).

* The default value for LoginGraceTime has been changed from 600 to 120
  seconds, see sshd_config(5).

* Removed erroneous SO_LINGER handling.

Checksums:
==========

- MD5 (openssh-3.5p1.tar.gz) = 42bd78508d208b55843c84dd54dea848
- MD5 (openssh-3.5.tgz) = 79fc225dbe0fe71ebb6910f449101d23

Reporting Bugs:
===============

- please read http://www.openssh.com/report.html
  and http://bugzilla.mindrot.org/

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller and Ben Lindstrom.