From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [openssh-unix-announce] Announce: OpenSSH 9.7 released Date: Mon, 11 Mar 2024 16:49:50 +0000 Message-ID: <5757F306-F8D8-4C2D-81B0-191AE3225AA9@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5202693325787171759==" List-Id: --===============5202693325787171759== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Perfect. Thank you! > On 11 Mar 2024, at 16:41, Adolf Belka wrote: >=20 > Hi Michael, >=20 > On 11/03/2024 17:34, Michael Tremer wrote: >> Is anyone happy to grab this one? >>=20 > I will pick it up. > Regards, > Adolf. >>> Begin forwarded message: >>>=20 >>> From: Damien Miller >>> Subject: [openssh-unix-announce] Announce: OpenSSH 9.7 released >>> Date: 11 March 2024 at 10:41:13 GMT >>> To: openssh-unix-announce(a)mindrot.org >>>=20 >>> OpenSSH 9.7 has just been released. It will be available from the >>> mirrors listed at https://www.openssh.com/ shortly. >>>=20 >>> OpenSSH is a 100% complete SSH protocol 2.0 implementation and >>> includes sftp client and server support. >>>=20 >>> Once again, we would like to thank the OpenSSH community for their >>> continued support of the project, especially those who contributed >>> code or patches, reported bugs, tested snapshots or donated to the >>> project. More information on donations may be found at: >>> https://www.openssh.com/donations.html >>>=20 >>> Future deprecation notice >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D >>>=20 >>> OpenSSH plans to remove support for the DSA signature algorithm in >>> early 2025 and compile-time disable it later this year. >>>=20 >>> DSA, as specified in the SSHv2 protocol, is inherently weak - being >>> limited to a 160 bit private key and use of the SHA1 digest. Its >>> estimated security level is only 80 bits symmetric equivalent. >>>=20 >>> OpenSSH has disabled DSA keys by default since 2015 but has retained >>> run-time optional support for them. DSA was the only mandatory-to- >>> implement algorithm in the SSHv2 RFCs[3], mostly because alternative >>> algorithms were encumbered by patents when the SSHv2 protocol was >>> specified. >>>=20 >>> This has not been the case for decades at this point and better >>> algorithms are well supported by all actively-maintained SSH >>> implementations. We do not consider the costs of maintaining DSA in >>> OpenSSH to be justified and hope that removing it from OpenSSH can >>> accelerate its wider deprecation in supporting cryptography >>> libraries. >>>=20 >>> This release makes DSA support in OpenSSH compile-time optional, >>> defaulting to on. We intend the next release to change the default >>> to disable DSA at compile time. The first OpenSSH release of 2025 >>> will remove DSA support entirely. >>>=20 >>> Changes since OpenSSH 9.6 >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D >>>=20 >>> This release contains mostly bugfixes. >>>=20 >>> New features >>> ------------ >>>=20 >>> * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches >>> all open channels and will close all open channels if there is no >>> traffic on any of them for the specified interval. This is in >>> addition to the existing per-channel timeouts added recently. >>>=20 >>> This supports situations like having both session and x11 >>> forwarding channels open where one may be idle for an extended >>> period but the other is actively used. The global timeout could >>> close both channels when both have been idle for too long. >>>=20 >>> * All: make DSA key support compile-time optional, defaulting to on. >>>=20 >>> Bugfixes >>> -------- >>>=20 >>> * sshd(8): don't append an unnecessary space to the end of subsystem >>> arguments (bz3667) >>>=20 >>> * ssh(1): fix the multiplexing "channel proxy" mode, broken when >>> keystroke timing obfuscation was added. (GHPR#463) >>>=20 >>> * ssh(1), sshd(8): fix spurious configuration parsing errors when >>> options that accept array arguments are overridden (bz3657). >>>=20 >>> * ssh-agent(1): fix potential spin in signal handler (bz3670) >>>=20 >>> * Many fixes to manual pages and other documentation, including >>> GHPR#462, GHPR#454, GHPR#442 and GHPR#441. >>>=20 >>> * Greatly improve interop testing against PuTTY. >>>=20 >>> Portability >>> ----------- >>>=20 >>> * Improve the error message when the autoconf OpenSSL header check >>> fails (bz#3668) >>>=20 >>> * Improve detection of broken toolchain -fzero-call-used-regs support >>> (bz3645). >>>=20 >>> * Fix regress/misc/fuzz-harness fuzzers and make them compile without >>> warnings when using clang16 >>>=20 >>> Checksums: >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>=20 >>> - SHA1 (openssh-9.7.tar.gz) =3D 163272058edc20a8fde81661734a6684c9b4db11 >>> - SHA256 (openssh-9.7.tar.gz) =3D gXDWrF4wN2UWyPjyjvVhpjjKd7D2qI6LyZiIYhb= JQVg=3D >>>=20 >>> - SHA1 (openssh-9.7p1.tar.gz) =3D ce8985ea0ea2f16a5917fd982ade0972848373cc >>> - SHA256 (openssh-9.7p1.tar.gz) =3D SQQm92bYKidj/KzY2D6j1weYdQx70q/y5X3FZ= g93P/0=3D >>>=20 >>> Please note that the SHA256 signatures are base64 encoded and not >>> hexadecimal (which is the default for most checksum tools). The PGP >>> key used to sign the releases is available from the mirror sites: >>> https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc >>>=20 >>> Reporting Bugs: >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>=20 >>> - Please read https://www.openssh.com/report.html >>> Security bugs should be reported directly to openssh(a)openssh.com >>> _______________________________________________ >>> openssh-unix-announce mailing list >>> openssh-unix-announce(a)mindrot.org >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-announce >>=20 >=20 > --=20 > Sent from my laptop --===============5202693325787171759==--