Thank you. > On 3 Mar 2021, at 12:30, Adolf Belka (ipfire) wrote: > > Hi Michael, > > I will pick this up. > > Regards, > > Adolf. > > On 03/03/2021 11:16, Michael Tremer wrote: >> Who wants to grab this one? >> >> Looks like a simple package upgrade with no other changes required. >> >> Best, >> -Michael >> >>> Begin forwarded message: >>> >>> *From: *Damien Miller > >>> *Subject: **[openssh-unix-announce] Announce: OpenSSH 8.5 released* >>> *Date: *3 March 2021 at 01:19:55 GMT >>> *To: *openssh-unix-announce(a)mindrot.org >>> >>> OpenSSH 8.5 has just been released. It will be available from the >>> mirrors listed at https://www.openssh.com/ shortly. >>> >>> OpenSSH is a 100% complete SSH protocol 2.0 implementation and >>> includes sftp client and server support. >>> >>> Once again, we would like to thank the OpenSSH community for their >>> continued support of the project, especially those who contributed >>> code or patches, reported bugs, tested snapshots or donated to the >>> project. More information on donations may be found at: >>> https://www.openssh.com/donations.html >>> >>> Future deprecation notice >>> ========================= >>> >>> It is now possible[1] to perform chosen-prefix attacks against the >>> SHA-1 algorithm for less than USD$50K. >>> >>> In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 >>> hash algorithm in conjunction with the RSA public key algorithm. >>> OpenSSH will disable this signature scheme by default in the near >>> future. >>> >>> Note that the deactivation of "ssh-rsa" signatures does not necessarily >>> require cessation of use for RSA keys. In the SSH protocol, keys may be >>> capable of signing using multiple algorithms. In particular, "ssh-rsa" >>> keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), >>> "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of >>> these is being turned off by default. >>> >>> This algorithm is unfortunately still used widely despite the >>> existence of better alternatives, being the only remaining public key >>> signature algorithm specified by the original SSH RFCs that is still >>> enabled by default. >>> >>> The better alternatives include: >>> >>> * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These >>> algorithms have the advantage of using the same key type as >>> "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been >>> supported since OpenSSH 7.2 and are already used by default if the >>> client and server support them. >>> >>> * The RFC8709 ssh-ed25519 signature algorithm. It has been supported >>> in OpenSSH since release 6.5. >>> >>> * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These >>> have been supported by OpenSSH since release 5.7. >>> >>> To check whether a server is using the weak ssh-rsa public key >>> algorithm, for host authentication, try to connect to it after >>> removing the ssh-rsa algorithm from ssh(1)'s allowed list: >>> >>> ssh -oHostKeyAlgorithms=-ssh-rsa user(a)host >>> >>> If the host key verification fails and no other supported host key >>> types are available, the server software on that host should be >>> upgraded. >>> >>> This release enables the UpdateHostKeys option by default to assist >>> the client by automatically migrating to better algorithms. >>> >>> [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and >>> Application to the PGP Web of Trust" Leurent, G and Peyrin, T >>> (2020) https://eprint.iacr.org/2020/014.pdf >>> >>> Security >>> ======== >>> >>> * ssh-agent(1): fixed a double-free memory corruption that was >>> introduced in OpenSSH 8.2 . We treat all such memory faults as >>> potentially exploitable. This bug could be reached by an attacker >>> with access to the agent socket. >>> >>> On modern operating systems where the OS can provide information >>> about the user identity connected to a socket, OpenSSH ssh-agent >>> and sshd limit agent socket access only to the originating user >>> and root. Additional mitigation may be afforded by the system's >>> malloc(3)/free(3) implementation, if it detects double-free >>> conditions. >>> >>> The most likely scenario for exploitation is a user forwarding an >>> agent either to an account shared with a malicious user or to a >>> host with an attacker holding root access. >>> >>> * Portable sshd(8): Prevent excessively long username going to PAM. >>> This is a mitigation for a buffer overflow in Solaris' PAM username >>> handling (CVE-2020-14871), and is only enabled for Sun-derived PAM >>> implementations. This is not a problem in sshd itself, it only >>> prevents sshd from being used as a vector to attack Solaris' PAM. >>> It does not prevent the bug in PAM from being exploited via some >>> other PAM application. GHPR#212 >>> >>> >>> Potentially-incompatible changes >>> ================================ >>> >>> This release includes a number of changes that may affect existing >>> configurations: >>> >>> * ssh(1), sshd(8): this release changes the first-preference signature >>> algorithm from ECDSA to ED25519. >>> >>> * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration >>> for interactive use prior to TCP connect. The connection phase of >>> the SSH session is time-sensitive and often explicitly interactive. >>> The ultimate interactive/bulk TOS/DSCP will be set after >>> authentication completes. >>> >>> * ssh(1), sshd(8): remove the pre-standardization cipher >>> rijndael-cbc(a)lysator.liu.se. It is an alias for aes256-cbc before >>> it was standardized in RFC4253 (2006), has been deprecated and >>> disabled by default since OpenSSH 7.2 (2016) and was only briefly >>> documented in ssh.1 in 2001. >>> >>> * ssh(1), sshd(8): update/replace the experimental post-quantum >>> hybrid key exchange method based on Streamlined NTRU Prime coupled >>> with X25519. >>> >>> The previous sntrup4591761x25519-sha512(a)tinyssh.org method is >>> replaced with sntrup761x25519-sha512(a)openssh.com. Per its >>> designers, the sntrup4591761 algorithm was superseded almost two >>> years ago by sntrup761. >>> >>> (note this both the updated method and the one that it replaced are >>> disabled by default) >>> >>> * ssh(1): disable CheckHostIP by default. It provides insignificant >>> benefits while making key rotation significantly more difficult, >>> especially for hosts behind IP-based load-balancers. >>> >>> Changes since OpenSSH 8.4 >>> ========================= >>> >>> New features >>> ------------ >>> >>> * ssh(1): this release enables UpdateHostkeys by default subject to >>> some conservative preconditions: >>> - The key was matched in the UserKnownHostsFile (and not in the >>> GlobalKnownHostsFile). >>> - The same key does not exist under another name. >>> - A certificate host key is not in use. >>> - known_hosts contains no matching wildcard hostname pattern. >>> - VerifyHostKeyDNS is not enabled. >>> - The default UserKnownHostsFile is in use. >>> >>> We expect some of these conditions will be modified or relaxed in >>> future. >>> >>> * ssh(1), sshd(8): add a new LogVerbose configuration directive for >>> that allows forcing maximum debug logging by file/function/line >>> pattern-lists. >>> >>> * ssh(1): when prompting the user to accept a new hostkey, display >>> any other host names/addresses already associated with the key. >>> >>> * ssh(1): allow UserKnownHostsFile=none to indicate that no >>> known_hosts file should be used to identify host keys. >>> >>> * ssh(1): add a ssh_config KnownHostsCommand option that allows the >>> client to obtain known_hosts data from a command in addition to >>> the usual files. >>> >>> * ssh(1): add a ssh_config PermitRemoteOpen option that allows the >>> client to restrict the destination when RemoteForward is used >>> with SOCKS. >>> >>> * ssh(1): for FIDO keys, if a signature operation fails with a >>> "incorrect PIN" reason and no PIN was initially requested from the >>> user, then request a PIN and retry the operation. This supports >>> some biometric devices that fall back to requiring PIN when reading >>> of the biometric failed, and devices that require PINs for all >>> hosted credentials. >>> >>> * sshd(8): implement client address-based rate-limiting via new >>> sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize >>> directives that provide more fine-grained control on a per-origin >>> address basis than the global MaxStartups limit. >>> >>> Bugfixes >>> -------- >>> >>> * ssh(1): Prefix keyboard interactive prompts with "(user(a)host)" to >>> make it easier to determine which connection they are associated >>> with in cases like scp -3, ProxyJump, etc. bz#3224 >>> >>> * sshd(8): fix sshd_config SetEnv directives located inside Match >>> blocks. GHPR#201 >>> >>> * ssh(1): when requesting a FIDO token touch on stderr, inform the >>> user once the touch has been recorded. >>> >>> * ssh(1): prevent integer overflow when ridiculously large >>> ConnectTimeout values are specified, capping the effective value >>> (for most platforms) at 24 days. bz#3229 >>> >>> * ssh(1): consider the ECDSA key subtype when ordering host key >>> algorithms in the client. >>> >>> * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to >>> PubkeyAcceptedAlgorithms. The previous name incorrectly suggested >>> that it control allowed key algorithms, when this option actually >>> specifies the signature algorithms that are accepted. The previous >>> name remains available as an alias. bz#3253 >>> >>> * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and >>> HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. >>> >>> * sftp-server(8): add missing lsetstat(a)openssh.com documentation >>> and advertisement in the server's SSH2_FXP_VERSION hello packet. >>> >>> * ssh(1), sshd(8): more strictly enforce KEX state-machine by >>> banning packet types once they are received. Fixes memleak caused >>> by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). >>> >>> * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit >>> platforms instead of being limited by LONG_MAX. bz#3206 >>> >>> * Minor man page fixes (capitalization, commas, etc.) bz#3223 >>> >>> * sftp(1): when doing an sftp recursive upload or download of a >>> read-only directory, ensure that the directory is created with >>> write and execute permissions in the interim so that the transfer >>> can actually complete, then set the directory permission as the >>> final step. bz#3222 >>> >>> * ssh-keygen(1): document the -Z, check the validity of its argument >>> earlier and provide a better error message if it's not correct. >>> bz#2879 >>> >>> * ssh(1): ignore comments at the end of config lines in ssh_config, >>> similar to what we already do for sshd_config. bz#2320 >>> >>> * sshd_config(5): mention that DisableForwarding is valid in a >>> sshd_config Match block. bz3239 >>> >>> * sftp(1): fix incorrect sorting of "ls -ltr" under some >>> circumstances. bz3248. >>> >>> * ssh(1), sshd(8): fix potential integer truncation of (unlikely) >>> timeout values. bz#3250 >>> >>> * ssh(1): make hostbased authentication send the signature algorithm >>> in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. >>> This make HostbasedAcceptedAlgorithms do what it is supposed to - >>> filter on signature algorithm and not key type. >>> >>> Portability >>> ----------- >>> >>> * sshd(8): add a number of platform-specific syscalls to the Linux >>> seccomp-bpf sandbox. bz#3232 bz#3260 >>> >>> * sshd(8): remove debug message from sigchld handler that could cause >>> deadlock on some platforms. bz#3259 >>> >>> * Sync contrib/ssh-copy-id with upstream. >>> >>> * unittests: add a hostname function for systems that don't have it. >>> Some systems don't have a hostname command (it's not required by >>> POSIX). The do have uname -n (which is), but not all of those have >>> it report the FQDN. >>> >>> Checksums: >>> ========== >>> >>> - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e >>> - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= >>> >>> - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e >>> - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= >>> >>> Please note that the SHA256 signatures are base64 encoded and not >>> hexadecimal (which is the default for most checksum tools). The PGP >>> key used to sign the releases is available from the mirror sites: >>> https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc >>> >>> Please note that the OpenPGP key used to sign releases has been >>> rotated for this release. The new key has been signed by the previous >>> key to provide continuity. >>> >>> Reporting Bugs: >>> =============== >>> >>> - Please read https://www.openssh.com/report.html >>> Security bugs should be reported directly to openssh(a)openssh.com >>> _______________________________________________ >>> openssh-unix-announce mailing list >>> openssh-unix-announce(a)mindrot.org >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-announce >>