Re: [openssh-unix-announce] Announce: OpenSSH 9.7 released

Re: [openssh-unix-announce] Announce: OpenSSH 9.7 released

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 5359 bytes --]

Perfect. Thank you!

> On 11 Mar 2024, at 16:41, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
> 
> Hi Michael,
> 
> On 11/03/2024 17:34, Michael Tremer wrote:
>> Is anyone happy to grab this one?
>> 
> I will pick it up.
> Regards,
> Adolf.
>>> Begin forwarded message:
>>> 
>>> From: Damien Miller <djm(a)cvs.openbsd.org>
>>> Subject: [openssh-unix-announce] Announce: OpenSSH 9.7 released
>>> Date: 11 March 2024 at 10:41:13 GMT
>>> To: openssh-unix-announce(a)mindrot.org
>>> 
>>> OpenSSH 9.7 has just been released. It will be available from the
>>> mirrors listed at https://www.openssh.com/ shortly.
>>> 
>>> OpenSSH is a 100% complete SSH protocol 2.0 implementation and
>>> includes sftp client and server support.
>>> 
>>> Once again, we would like to thank the OpenSSH community for their
>>> continued support of the project, especially those who contributed
>>> code or patches, reported bugs, tested snapshots or donated to the
>>> project. More information on donations may be found at:
>>> https://www.openssh.com/donations.html
>>> 
>>> Future deprecation notice
>>> =========================
>>> 
>>> OpenSSH plans to remove support for the DSA signature algorithm in
>>> early 2025 and compile-time disable it later this year.
>>> 
>>> DSA, as specified in the SSHv2 protocol, is inherently weak - being
>>> limited to a 160 bit private key and use of the SHA1 digest. Its
>>> estimated security level is only 80 bits symmetric equivalent.
>>> 
>>> OpenSSH has disabled DSA keys by default since 2015 but has retained
>>> run-time optional support for them. DSA was the only mandatory-to-
>>> implement algorithm in the SSHv2 RFCs[3], mostly because alternative
>>> algorithms were encumbered by patents when the SSHv2 protocol was
>>> specified.
>>> 
>>> This has not been the case for decades at this point and better
>>> algorithms are well supported by all actively-maintained SSH
>>> implementations. We do not consider the costs of maintaining DSA in
>>> OpenSSH to be justified and hope that removing it from OpenSSH can
>>> accelerate its wider deprecation in supporting cryptography
>>> libraries.
>>> 
>>> This release makes DSA support in OpenSSH compile-time optional,
>>> defaulting to on. We intend the next release to change the default
>>> to disable DSA at compile time. The first OpenSSH release of 2025
>>> will remove DSA support entirely.
>>> 
>>> Changes since OpenSSH 9.6
>>> =========================
>>> 
>>> This release contains mostly bugfixes.
>>> 
>>> New features
>>> ------------
>>> 
>>> * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
>>>   all open channels and will close all open channels if there is no
>>>   traffic on any of them for the specified interval. This is in
>>>   addition to the existing per-channel timeouts added recently.
>>> 
>>>   This supports situations like having both session and x11
>>>   forwarding channels open where one may be idle for an extended
>>>   period but the other is actively used. The global timeout could
>>>   close both channels when both have been idle for too long.
>>> 
>>> * All: make DSA key support compile-time optional, defaulting to on.
>>> 
>>> Bugfixes
>>> --------
>>> 
>>> * sshd(8): don't append an unnecessary space to the end of subsystem
>>>   arguments (bz3667)
>>> 
>>> * ssh(1): fix the multiplexing "channel proxy" mode, broken when
>>>   keystroke timing obfuscation was added. (GHPR#463)
>>> 
>>> * ssh(1), sshd(8): fix spurious configuration parsing errors when
>>>   options that accept array arguments are overridden (bz3657).
>>> 
>>> * ssh-agent(1): fix potential spin in signal handler (bz3670)
>>> 
>>> * Many fixes to manual pages and other documentation, including
>>>   GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
>>> 
>>> * Greatly improve interop testing against PuTTY.
>>> 
>>> Portability
>>> -----------
>>> 
>>> * Improve the error message when the autoconf OpenSSL header check
>>>   fails (bz#3668)
>>> 
>>> * Improve detection of broken toolchain -fzero-call-used-regs support
>>>   (bz3645).
>>> 
>>> * Fix regress/misc/fuzz-harness fuzzers and make them compile without
>>>   warnings when using clang16
>>> 
>>> Checksums:
>>> ==========
>>> 
>>> - SHA1 (openssh-9.7.tar.gz) = 163272058edc20a8fde81661734a6684c9b4db11
>>> - SHA256 (openssh-9.7.tar.gz) = gXDWrF4wN2UWyPjyjvVhpjjKd7D2qI6LyZiIYhbJQVg=
>>> 
>>> - SHA1 (openssh-9.7p1.tar.gz) = ce8985ea0ea2f16a5917fd982ade0972848373cc
>>> - SHA256 (openssh-9.7p1.tar.gz) = SQQm92bYKidj/KzY2D6j1weYdQx70q/y5X3FZg93P/0=
>>> 
>>> Please note that the SHA256 signatures are base64 encoded and not
>>> hexadecimal (which is the default for most checksum tools). The PGP
>>> key used to sign the releases is available from the mirror sites:
>>> https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
>>> 
>>> Reporting Bugs:
>>> ===============
>>> 
>>> - Please read https://www.openssh.com/report.html
>>>  Security bugs should be reported directly to openssh(a)openssh.com
>>> _______________________________________________
>>> openssh-unix-announce mailing list
>>> openssh-unix-announce(a)mindrot.org
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-announce
>> 
> 
> -- 
> Sent from my laptop