From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] openssh: Update to 8.5p1 Date: Fri, 05 Mar 2021 19:25:11 +0100 Message-ID: <0ca93a9b-2dd4-0f69-d0b6-5a755b0a105b@ipfire.org> In-Reply-To: <20210305174128.3654506-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3150490699558900411==" List-Id: --===============3150490699558900411== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Adolf, thank you for your work and this well documented patch. :-) Reviewed-by: Peter M=C3=BCller Thanks, and best regards, Peter M=C3=BCller > - Update Openssh from 8.4p1 to 8.5p1 > - rootfiles not changed > - ssh access by keys tested with 8.5p1 and successfully worked > - Full Release notes can be read at https://www.openssh.com/releasenotes.ht= ml > - Future deprecation notice > It is now possible[1] to perform chosen-prefix attacks against the > SHA-1 algorithm for less than USD$50K. > In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 > hash algorithm in conjunction with the RSA public key algorithm. > OpenSSH will disable this signature scheme by default in the near > future. > Note that the deactivation of "ssh-rsa" signatures does not necessarily > require cessation of use for RSA keys. In the SSH protocol, keys may be > capable of signing using multiple algorithms. In particular, "ssh-rsa" > keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), > "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of > these is being turned off by default. > - Checked if the weak ssh-rsa public key algorithm was being used with > openssh8.4p1 by running > ssh -oHostKeyAlgorithms=3D-ssh-rsa user(a)host > host verification was successful with no issue so IPFire will not be > affected by this deprecation when it happens > - Potentially-incompatible changes > * ssh(1), sshd(8): this release changes the first-preference signature > algorithm from ECDSA to ED25519. > This did not affect my use of ssh login but I use ED25519 as the only > key algorithm that I use. It might be good to get it tested by > someone who has ECDSA and ED25519 keys and prefers ECDSA > Remaining changes don't look likely to affect IPFire users > - Bugfixes > * ssh(1): Prefix keyboard interactive prompts with "(user(a)host)" to > make it easier to determine which connection they are associated > with in cases like scp -3, ProxyJump, etc. bz#3224 > * sshd(8): fix sshd_config SetEnv directives located inside Match > blocks. GHPR201 > * ssh(1): when requesting a FIDO token touch on stderr, inform the > user once the touch has been recorded. > * ssh(1): prevent integer overflow when ridiculously large > ConnectTimeout values are specified, capping the effective value > (for most platforms) at 24 days. bz#3229 > * ssh(1): consider the ECDSA key subtype when ordering host key > algorithms in the client. > * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to > PubkeyAcceptedAlgorithms. The previous name incorrectly suggested > that it control allowed key algorithms, when this option actually > specifies the signature algorithms that are accepted. The previous > name remains available as an alias. bz#3253 > * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and > HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. > * sftp-server(8): add missing lsetstat(a)openssh.com documentation > and advertisement in the server's SSH2_FXP_VERSION hello packet. > * ssh(1), sshd(8): more strictly enforce KEX state-machine by > banning packet types once they are received. Fixes memleak caused > by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). > * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit > platforms instead of being limited by LONG_MAX. bz#3206 > * Minor man page fixes (capitalization, commas, etc.) bz#3223 > * sftp(1): when doing an sftp recursive upload or download of a > read-only directory, ensure that the directory is created with > write and execute permissions in the interim so that the transfer > can actually complete, then set the directory permission as the > final step. bz#3222 > * ssh-keygen(1): document the -Z, check the validity of its argument > earlier and provide a better error message if it's not correct. > bz#2879 > * ssh(1): ignore comments at the end of config lines in ssh_config, > similar to what we already do for sshd_config. bz#2320 > * sshd_config(5): mention that DisableForwarding is valid in a > sshd_config Match block. bz3239 > * sftp(1): fix incorrect sorting of "ls -ltr" under some > circumstances. bz3248. > * ssh(1), sshd(8): fix potential integer truncation of (unlikely) > timeout values. bz#3250 > * ssh(1): make hostbased authentication send the signature algorithm > in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. > This make HostbasedAcceptedAlgorithms do what it is supposed to - > filter on signature algorithm and not key type. >=20 > Signed-off-by: Adolf Belka > --- > lfs/openssh | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) >=20 > diff --git a/lfs/openssh b/lfs/openssh > index 5143f4154..2a07d9e65 100644 > --- a/lfs/openssh > +++ b/lfs/openssh > @@ -24,7 +24,7 @@ > =20 > include Config > =20 > -VER =3D 8.4p1 > +VER =3D 8.5p1 > =20 > THISAPP =3D openssh-$(VER) > DL_FILE =3D $(THISAPP).tar.gz > @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) > =20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) > =20 > -$(DL_FILE)_MD5 =3D 8f897870404c088e4aa7d1c1c58b526b > +$(DL_FILE)_MD5 =3D 9eb9420cf587edc26f8998ab679ad390 > =20 > install : $(TARGET) > =20 >=20 --===============3150490699558900411==--