From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Adolf Belka (ipfire)" To: development@lists.ipfire.org Subject: Re: Fwd: [openssh-unix-announce] Announce: OpenSSH 8.5 released Date: Wed, 03 Mar 2021 13:30:47 +0100 Message-ID: <9f767b9b-1fde-df56-76e4-99198791b18b@ipfire.org> In-Reply-To: <799CC42A-9FF1-4ACA-86E5-CADC0F2B18CA@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1200420205400942400==" List-Id: --===============1200420205400942400== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, I will pick this up. Regards, Adolf. On 03/03/2021 11:16, Michael Tremer wrote: > Who wants to grab this one? > > Looks like a simple package upgrade with no other changes required. > > Best, > -Michael > >> Begin forwarded message: >> >> *From: *Damien Miller > >> *Subject: **[openssh-unix-announce] Announce: OpenSSH 8.5 released* >> *Date: *3 March 2021 at 01:19:55 GMT >> *To: *openssh-unix-announce(a)mindrot.org >> >> OpenSSH 8.5 has just been released. It will be available from the >> mirrors listed at https://www.openssh.com/ shor= tly. >> >> OpenSSH is a 100% complete SSH protocol 2.0 implementation and >> includes sftp client and server support. >> >> Once again, we would like to thank the OpenSSH community for their >> continued support of the project, especially those who contributed >> code or patches, reported bugs, tested snapshots or donated to the >> project. More information on donations may be found at: >> https://www.openssh.com/donations.html >> >> Future deprecation notice >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> >> It is now possible[1] to perform chosen-prefix attacks against the >> SHA-1 algorithm for less than USD$50K. >> >> In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 >> hash algorithm in conjunction with the RSA public key algorithm. >> OpenSSH will disable this signature scheme by default in the near >> future. >> >> Note that the deactivation of "ssh-rsa" signatures does not necessarily >> require cessation of use for RSA keys. In the SSH protocol, keys may be >> capable of signing using multiple algorithms. In particular, "ssh-rsa" >> keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), >> "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of >> these is being turned off by default. >> >> This algorithm is unfortunately still used widely despite the >> existence of better alternatives, being the only remaining public key >> signature algorithm specified by the original SSH RFCs that is still >> enabled by default. >> >> The better alternatives include: >> >> * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These >> =C2=A0=C2=A0algorithms have the advantage of using the same key type as >> =C2=A0=C2=A0"ssh-rsa" but use the safe SHA-2 hash algorithms. These have b= een >> =C2=A0=C2=A0supported since OpenSSH 7.2 and are already used by default if= the >> =C2=A0=C2=A0client and server support them. >> >> * The RFC8709 ssh-ed25519 signature algorithm. It has been supported >> =C2=A0=C2=A0in OpenSSH since release 6.5. >> >> * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These >> =C2=A0=C2=A0have been supported by OpenSSH since release 5.7. >> >> To check whether a server is using the weak ssh-rsa public key >> algorithm, for host authentication, try to connect to it after >> removing the ssh-rsa algorithm from ssh(1)'s allowed list: >> >> =C2=A0=C2=A0=C2=A0ssh -oHostKeyAlgorithms=3D-ssh-rsa user(a)host >> >> If the host key verification fails and no other supported host key >> types are available, the server software on that host should be >> upgraded. >> >> This release enables the UpdateHostKeys option by default to assist >> the client by automatically migrating to better algorithms. >> >> [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and >> =C2=A0=C2=A0=C2=A0Application to the PGP Web of Trust" Leurent, G and Peyr= in, T >> =C2=A0=C2=A0=C2=A0(2020) https://eprint.iacr.org/2020/014.pdf >> >> Security >> =3D=3D=3D=3D=3D=3D=3D=3D >> >> * ssh-agent(1): fixed a double-free memory corruption that was >> =C2=A0=C2=A0introduced in OpenSSH 8.2 . We treat all such memory faults as >> =C2=A0=C2=A0potentially exploitable. This bug could be reached by an attac= ker >> =C2=A0=C2=A0with access to the agent socket. >> >> =C2=A0=C2=A0On modern operating systems where the OS can provide informati= on >> =C2=A0=C2=A0about the user identity connected to a socket, OpenSSH ssh-age= nt >> =C2=A0=C2=A0and sshd limit agent socket access only to the originating user >> =C2=A0=C2=A0and root. Additional mitigation may be afforded by the system's >> =C2=A0=C2=A0malloc(3)/free(3) implementation, if it detects double-free >> =C2=A0=C2=A0conditions. >> >> =C2=A0=C2=A0The most likely scenario for exploitation is a user forwarding= an >> =C2=A0=C2=A0agent either to an account shared with a malicious user or to a >> =C2=A0=C2=A0host with an attacker holding root access. >> >> * Portable sshd(8): Prevent excessively long username going to PAM. >> =C2=A0=C2=A0This is a mitigation for a buffer overflow in Solaris' PAM use= rname >> =C2=A0=C2=A0handling (CVE-2020-14871), and is only enabled for Sun-derived= PAM >> =C2=A0=C2=A0implementations. =C2=A0This is not a problem in sshd itself, i= t only >> =C2=A0=C2=A0prevents sshd from being used as a vector to attack Solaris' P= AM. >> =C2=A0=C2=A0It does not prevent the bug in PAM from being exploited via so= me >> =C2=A0=C2=A0other PAM application. GHPR#212 >> >> >> Potentially-incompatible changes >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D >> >> This release includes a number of changes that may affect existing >> configurations: >> >> * ssh(1), sshd(8): this release changes the first-preference signature >> =C2=A0=C2=A0algorithm from ECDSA to ED25519. >> >> * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration >> =C2=A0=C2=A0for interactive use prior to TCP connect. The connection phase= of >> =C2=A0=C2=A0the SSH session is time-sensitive and often explicitly interac= tive. >> =C2=A0=C2=A0The ultimate interactive/bulk TOS/DSCP will be set after >> =C2=A0=C2=A0authentication completes. >> >> * ssh(1), sshd(8): remove the pre-standardization cipher >> =C2=A0=C2=A0rijndael-cbc(a)lysator.liu.se. It is an alias for aes256-cbc b= efore >> =C2=A0=C2=A0it was standardized in RFC4253 (2006), has been deprecated and >> =C2=A0=C2=A0disabled by default since OpenSSH 7.2 (2016) and was only brie= fly >> =C2=A0=C2=A0documented in ssh.1 in 2001. >> >> * ssh(1), sshd(8): update/replace the experimental post-quantum >> =C2=A0=C2=A0hybrid key exchange method based on Streamlined NTRU Prime cou= pled >> =C2=A0=C2=A0with X25519. >> >> =C2=A0=C2=A0The previous sntrup4591761x25519-sha512(a)tinyssh.org method is >> =C2=A0=C2=A0replaced with sntrup761x25519-sha512(a)openssh.com. Per its >> =C2=A0=C2=A0designers, the sntrup4591761 algorithm was superseded almost t= wo >> =C2=A0=C2=A0years ago by sntrup761. >> >> =C2=A0=C2=A0(note this both the updated method and the one that it replace= d are >> =C2=A0=C2=A0disabled by default) >> >> * ssh(1): disable CheckHostIP by default. It provides insignificant >> =C2=A0=C2=A0benefits while making key rotation significantly more difficul= t, >> =C2=A0=C2=A0especially for hosts behind IP-based load-balancers. >> >> Changes since OpenSSH 8.4 >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> >> New features >> ------------ >> >> * ssh(1): this release enables UpdateHostkeys by default subject to >> =C2=A0=C2=A0some conservative preconditions: >> =C2=A0=C2=A0=C2=A0- The key was matched in the UserKnownHostsFile (and not= in the >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0GlobalKnownHostsFile). >> =C2=A0=C2=A0=C2=A0- The same key does not exist under another name. >> =C2=A0=C2=A0=C2=A0- A certificate host key is not in use. >> =C2=A0=C2=A0=C2=A0- known_hosts contains no matching wildcard hostname pat= tern. >> =C2=A0=C2=A0=C2=A0- VerifyHostKeyDNS is not enabled. >> =C2=A0=C2=A0=C2=A0- The default UserKnownHostsFile is in use. >> >> =C2=A0=C2=A0We expect some of these conditions will be modified or relaxed= in >> =C2=A0=C2=A0future. >> >> * ssh(1), sshd(8): add a new LogVerbose configuration directive for >> =C2=A0=C2=A0that allows forcing maximum debug logging by file/function/line >> =C2=A0=C2=A0pattern-lists. >> >> * ssh(1): when prompting the user to accept a new hostkey, display >> =C2=A0=C2=A0any other host names/addresses already associated with the key. >> >> * ssh(1): allow UserKnownHostsFile=3Dnone to indicate that no >> =C2=A0=C2=A0known_hosts file should be used to identify host keys. >> >> * ssh(1): add a ssh_config KnownHostsCommand option that allows the >> =C2=A0=C2=A0client to obtain known_hosts data from a command in addition to >> =C2=A0=C2=A0the usual files. >> >> * ssh(1): add a ssh_config PermitRemoteOpen option that allows the >> =C2=A0=C2=A0client to restrict the destination when RemoteForward is used >> =C2=A0=C2=A0with SOCKS. >> >> * ssh(1): for FIDO keys, if a signature operation fails with a >> =C2=A0=C2=A0"incorrect PIN" reason and no PIN was initially requested from= the >> =C2=A0=C2=A0user, then request a PIN and retry the operation. This supports >> =C2=A0=C2=A0some biometric devices that fall back to requiring PIN when re= ading >> =C2=A0=C2=A0of the biometric failed, and devices that require PINs for all >> =C2=A0=C2=A0hosted credentials. >> >> * sshd(8): implement client address-based rate-limiting via new >> =C2=A0=C2=A0sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize >> =C2=A0=C2=A0directives that provide more fine-grained control on a per-ori= gin >> =C2=A0=C2=A0address basis than the global MaxStartups limit. >> >> Bugfixes >> -------- >> >> * ssh(1): Prefix keyboard interactive prompts with "(user(a)host)" to >> =C2=A0=C2=A0make it easier to determine which connection they are associat= ed >> =C2=A0=C2=A0with in cases like scp -3, ProxyJump, etc. bz#3224 >> >> * sshd(8): fix sshd_config SetEnv directives located inside Match >> =C2=A0=C2=A0blocks. GHPR#201 >> >> * ssh(1): when requesting a FIDO token touch on stderr, inform the >> =C2=A0=C2=A0user once the touch has been recorded. >> >> * ssh(1): prevent integer overflow when ridiculously large >> =C2=A0=C2=A0ConnectTimeout values are specified, capping the effective val= ue >> =C2=A0=C2=A0(for most platforms) at 24 days. bz#3229 >> >> * ssh(1): consider the ECDSA key subtype when ordering host key >> =C2=A0=C2=A0algorithms in the client. >> >> * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to >> =C2=A0=C2=A0PubkeyAcceptedAlgorithms. The previous name incorrectly sugges= ted >> =C2=A0=C2=A0that it control allowed key algorithms, when this option actua= lly >> =C2=A0=C2=A0specifies the signature algorithms that are accepted. The prev= ious >> =C2=A0=C2=A0name remains available as an alias. bz#3253 >> >> * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and >> =C2=A0=C2=A0HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithm= s. >> >> * sftp-server(8): add missing lsetstat(a)openssh.com documentation >> =C2=A0=C2=A0and advertisement in the server's SSH2_FXP_VERSION hello packe= t. >> >> * ssh(1), sshd(8): more strictly enforce KEX state-machine by >> =C2=A0=C2=A0banning packet types once they are received. Fixes memleak cau= sed >> =C2=A0=C2=A0by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). >> >> * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit >> =C2=A0=C2=A0platforms instead of being limited by LONG_MAX. bz#3206 >> >> * Minor man page fixes (capitalization, commas, etc.) bz#3223 >> >> * sftp(1): when doing an sftp recursive upload or download of a >> =C2=A0=C2=A0read-only directory, ensure that the directory is created with >> =C2=A0=C2=A0write and execute permissions in the interim so that the trans= fer >> =C2=A0=C2=A0can actually complete, then set the directory permission as the >> =C2=A0=C2=A0final step. bz#3222 >> >> * ssh-keygen(1): document the -Z, check the validity of its argument >> =C2=A0=C2=A0earlier and provide a better error message if it's not correct. >> =C2=A0=C2=A0bz#2879 >> >> * ssh(1): ignore comments at the end of config lines in ssh_config, >> =C2=A0=C2=A0similar to what we already do for sshd_config. bz#2320 >> >> * sshd_config(5): mention that DisableForwarding is valid in a >> =C2=A0=C2=A0sshd_config Match block. bz3239 >> >> * sftp(1): fix incorrect sorting of "ls -ltr" under some >> =C2=A0=C2=A0circumstances. bz3248. >> >> * ssh(1), sshd(8): fix potential integer truncation of (unlikely) >> =C2=A0=C2=A0timeout values. bz#3250 >> >> * ssh(1): make hostbased authentication send the signature algorithm >> =C2=A0=C2=A0in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key ty= pe. >> =C2=A0=C2=A0This make HostbasedAcceptedAlgorithms do what it is supposed t= o - >> =C2=A0=C2=A0filter on signature algorithm and not key type. >> >> Portability >> ----------- >> >> * sshd(8): add a number of platform-specific syscalls to the Linux >> =C2=A0=C2=A0seccomp-bpf sandbox. bz#3232 bz#3260 >> >> * sshd(8): remove debug message from sigchld handler that could cause >> =C2=A0=C2=A0deadlock on some platforms. bz#3259 >> >> * Sync contrib/ssh-copy-id with upstream. >> >> * unittests: add a hostname function for systems that don't have it. >> =C2=A0=C2=A0Some systems don't have a hostname command (it's not required = by >> =C2=A0=C2=A0POSIX). The do have uname -n (which is), but not all of those = have >> =C2=A0=C2=A0it report the FQDN. >> >> Checksums: >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> >> - SHA1 (openssh-8.5.tar.gz) =3D 04cae43c389fb411227c01219e4eb46e3113f34e >> - SHA256 (openssh-8.5.tar.gz) =3D 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz= +SU=3D >> >> - SHA1 (openssh-8.5p1.tar.gz) =3D 72eadcbe313b07b1dd3b693e41d3cd56d354e24e >> - SHA256 (openssh-8.5p1.tar.gz) =3D 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3= ZG7CU=3D >> >> Please note that the SHA256 signatures are base64 encoded and not >> hexadecimal (which is the default for most checksum tools). The PGP >> key used to sign the releases is available from the mirror sites: >> https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc >> >> Please note that the OpenPGP key used to sign releases has been >> rotated for this release. The new key has been signed by the previous >> key to provide continuity. >> >> Reporting Bugs: >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> >> - Please read https://www.openssh.com/report.html >> =C2=A0Security bugs should be reported directly to openssh(a)openssh.com >> _______________________________________________ >> openssh-unix-announce mailing list >> openssh-unix-announce(a)mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-announce > --===============1200420205400942400==--