Re: [PATCH] openssh: Update to 8.5p1

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 5477 bytes --]

Hello Adolf,

thank you for your work and this well documented patch. :-)

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

Thanks, and best regards,
Peter Müller

> - Update Openssh from 8.4p1 to 8.5p1
> - rootfiles not changed
> - ssh access by keys tested with 8.5p1 and successfully worked
> - Full Release notes can be read at https://www.openssh.com/releasenotes.html
> - Future deprecation notice
>    It is now possible[1] to perform chosen-prefix attacks against the
>    SHA-1 algorithm for less than USD$50K.
>    In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1
>    hash algorithm in conjunction with the RSA public key algorithm.
>    OpenSSH will disable this signature scheme by default in the near
>    future.
>    Note that the deactivation of "ssh-rsa" signatures does not necessarily
>    require cessation of use for RSA keys. In the SSH protocol, keys may be
>    capable of signing using multiple algorithms. In particular, "ssh-rsa"
>    keys are capable of signing using "rsa-sha2-256" (RSA/SHA256),
>    "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of
>    these is being turned off by default.
> - Checked if the weak ssh-rsa public key algorithm was being used with
>    openssh8.4p1 by running
>     ssh -oHostKeyAlgorithms=-ssh-rsa user(a)host
>    host verification was successful with no issue so IPFire will not be
>    affected by this deprecation when it happens
> - Potentially-incompatible changes
>     * ssh(1), sshd(8): this release changes the first-preference signature
>       algorithm from ECDSA to ED25519.
>    This did not affect my use of ssh login but I use ED25519 as the only
>     key algorithm that I use. It might be good to get it tested by
>     someone who has ECDSA and ED25519 keys and prefers ECDSA
>    Remaining changes don't look likely to affect IPFire users
> - Bugfixes
>  * ssh(1): Prefix keyboard interactive prompts with "(user(a)host)" to
>    make it easier to determine which connection they are associated
>    with in cases like scp -3, ProxyJump, etc. bz#3224
>  * sshd(8): fix sshd_config SetEnv directives located inside Match
>    blocks. GHPR201
>  * ssh(1): when requesting a FIDO token touch on stderr, inform the
>    user once the touch has been recorded.
>  * ssh(1): prevent integer overflow when ridiculously large
>    ConnectTimeout values are specified, capping the effective value
>    (for most platforms) at 24 days. bz#3229
>  * ssh(1): consider the ECDSA key subtype when ordering host key
>    algorithms in the client.
>  * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to
>    PubkeyAcceptedAlgorithms. The previous name incorrectly suggested
>    that it control allowed key algorithms, when this option actually
>    specifies the signature algorithms that are accepted. The previous
>    name remains available as an alias. bz#3253
>  * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and
>    HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms.
>  * sftp-server(8): add missing lsetstat(a)openssh.com documentation
>    and advertisement in the server's SSH2_FXP_VERSION hello packet.
>  * ssh(1), sshd(8): more strictly enforce KEX state-machine by
>    banning packet types once they are received. Fixes memleak caused
>    by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).
>  * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit
>    platforms instead of being limited by LONG_MAX. bz#3206
>  * Minor man page fixes (capitalization, commas, etc.) bz#3223
>  * sftp(1): when doing an sftp recursive upload or download of a
>    read-only directory, ensure that the directory is created with
>    write and execute permissions in the interim so that the transfer
>    can actually complete, then set the directory permission as the
>    final step. bz#3222
>  * ssh-keygen(1): document the -Z, check the validity of its argument
>    earlier and provide a better error message if it's not correct.
>    bz#2879
>  * ssh(1): ignore comments at the end of config lines in ssh_config,
>    similar to what we already do for sshd_config. bz#2320
>  * sshd_config(5): mention that DisableForwarding is valid in a
>    sshd_config Match block. bz3239
>  * sftp(1): fix incorrect sorting of "ls -ltr" under some
>    circumstances. bz3248.
>  * ssh(1), sshd(8): fix potential integer truncation of (unlikely)
>    timeout values. bz#3250
>  * ssh(1): make hostbased authentication send the signature algorithm
>    in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type.
>    This make HostbasedAcceptedAlgorithms do what it is supposed to -
>    filter on signature algorithm and not key type.
> 
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>  lfs/openssh | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/lfs/openssh b/lfs/openssh
> index 5143f4154..2a07d9e65 100644
> --- a/lfs/openssh
> +++ b/lfs/openssh
> @@ -24,7 +24,7 @@
>  
>  include Config
>  
> -VER        = 8.4p1
> +VER        = 8.5p1
>  
>  THISAPP    = openssh-$(VER)
>  DL_FILE    = $(THISAPP).tar.gz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_MD5 = 8f897870404c088e4aa7d1c1c58b526b
> +$(DL_FILE)_MD5 = 9eb9420cf587edc26f8998ab679ad390
>  
>  install : $(TARGET)
>  
>