Is anyone happy to grab this one?
Begin forwarded message:
From: Damien Miller djm@cvs.openbsd.org Subject: [openssh-unix-announce] Announce: OpenSSH 9.7 released Date: 11 March 2024 at 10:41:13 GMT To: openssh-unix-announce@mindrot.org
OpenSSH 9.7 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html
Future deprecation notice
OpenSSH plans to remove support for the DSA signature algorithm in early 2025 and compile-time disable it later this year.
DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is only 80 bits symmetric equivalent.
OpenSSH has disabled DSA keys by default since 2015 but has retained run-time optional support for them. DSA was the only mandatory-to- implement algorithm in the SSHv2 RFCs[3], mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was specified.
This has not been the case for decades at this point and better algorithms are well supported by all actively-maintained SSH implementations. We do not consider the costs of maintaining DSA in OpenSSH to be justified and hope that removing it from OpenSSH can accelerate its wider deprecation in supporting cryptography libraries.
This release makes DSA support in OpenSSH compile-time optional, defaulting to on. We intend the next release to change the default to disable DSA at compile time. The first OpenSSH release of 2025 will remove DSA support entirely.
Changes since OpenSSH 9.6
This release contains mostly bugfixes.
New features
ssh(1), sshd(8): add a "global" ChannelTimeout type that watches all open channels and will close all open channels if there is no traffic on any of them for the specified interval. This is in addition to the existing per-channel timeouts added recently.
This supports situations like having both session and x11 forwarding channels open where one may be idle for an extended period but the other is actively used. The global timeout could close both channels when both have been idle for too long.
All: make DSA key support compile-time optional, defaulting to on.
Bugfixes
sshd(8): don't append an unnecessary space to the end of subsystem arguments (bz3667)
ssh(1): fix the multiplexing "channel proxy" mode, broken when keystroke timing obfuscation was added. (GHPR#463)
ssh(1), sshd(8): fix spurious configuration parsing errors when options that accept array arguments are overridden (bz3657).
ssh-agent(1): fix potential spin in signal handler (bz3670)
Many fixes to manual pages and other documentation, including GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
Greatly improve interop testing against PuTTY.
Portability
Improve the error message when the autoconf OpenSSL header check fails (bz#3668)
Improve detection of broken toolchain -fzero-call-used-regs support (bz3645).
Fix regress/misc/fuzz-harness fuzzers and make them compile without warnings when using clang16
Checksums:
SHA1 (openssh-9.7.tar.gz) = 163272058edc20a8fde81661734a6684c9b4db11
SHA256 (openssh-9.7.tar.gz) = gXDWrF4wN2UWyPjyjvVhpjjKd7D2qI6LyZiIYhbJQVg=
SHA1 (openssh-9.7p1.tar.gz) = ce8985ea0ea2f16a5917fd982ade0972848373cc
SHA256 (openssh-9.7p1.tar.gz) = SQQm92bYKidj/KzY2D6j1weYdQx70q/y5X3FZg93P/0=
Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
Reporting Bugs:
- Please read https://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com _______________________________________________ openssh-unix-announce mailing list openssh-unix-announce@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-announce
Hi Michael,
On 11/03/2024 17:34, Michael Tremer wrote:
Is anyone happy to grab this one?
I will pick it up. Regards, Adolf.
Begin forwarded message:
*From: *Damien Miller djm@cvs.openbsd.org *Subject: **[openssh-unix-announce] Announce: OpenSSH 9.7 released* *Date: *11 March 2024 at 10:41:13 GMT *To: *openssh-unix-announce@mindrot.org
OpenSSH 9.7 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html
Future deprecation notice
OpenSSH plans to remove support for the DSA signature algorithm in early 2025 and compile-time disable it later this year.
DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is only 80 bits symmetric equivalent.
OpenSSH has disabled DSA keys by default since 2015 but has retained run-time optional support for them. DSA was the only mandatory-to- implement algorithm in the SSHv2 RFCs[3], mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was specified.
This has not been the case for decades at this point and better algorithms are well supported by all actively-maintained SSH implementations. We do not consider the costs of maintaining DSA in OpenSSH to be justified and hope that removing it from OpenSSH can accelerate its wider deprecation in supporting cryptography libraries.
This release makes DSA support in OpenSSH compile-time optional, defaulting to on. We intend the next release to change the default to disable DSA at compile time. The first OpenSSH release of 2025 will remove DSA support entirely.
Changes since OpenSSH 9.6
This release contains mostly bugfixes.
New features
- ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
all open channels and will close all open channels if there is no traffic on any of them for the specified interval. This is in addition to the existing per-channel timeouts added recently.
This supports situations like having both session and x11 forwarding channels open where one may be idle for an extended period but the other is actively used. The global timeout could close both channels when both have been idle for too long.
- All: make DSA key support compile-time optional, defaulting to on.
Bugfixes
- sshd(8): don't append an unnecessary space to the end of subsystem
arguments (bz3667)
- ssh(1): fix the multiplexing "channel proxy" mode, broken when
keystroke timing obfuscation was added. (GHPR#463)
- ssh(1), sshd(8): fix spurious configuration parsing errors when
options that accept array arguments are overridden (bz3657).
ssh-agent(1): fix potential spin in signal handler (bz3670)
Many fixes to manual pages and other documentation, including
GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
- Greatly improve interop testing against PuTTY.
Portability
- Improve the error message when the autoconf OpenSSL header check
fails (bz#3668)
- Improve detection of broken toolchain -fzero-call-used-regs support
(bz3645).
- Fix regress/misc/fuzz-harness fuzzers and make them compile without
warnings when using clang16
Checksums:
- SHA1 (openssh-9.7.tar.gz) = 163272058edc20a8fde81661734a6684c9b4db11
- SHA256 (openssh-9.7.tar.gz) =
gXDWrF4wN2UWyPjyjvVhpjjKd7D2qI6LyZiIYhbJQVg=
- SHA1 (openssh-9.7p1.tar.gz) = ce8985ea0ea2f16a5917fd982ade0972848373cc
- SHA256 (openssh-9.7p1.tar.gz) =
SQQm92bYKidj/KzY2D6j1weYdQx70q/y5X3FZg93P/0=
Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
Reporting Bugs:
- Please read https://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com _______________________________________________ openssh-unix-announce mailing list openssh-unix-announce@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-announce
Perfect. Thank you!
On 11 Mar 2024, at 16:41, Adolf Belka adolf.belka@ipfire.org wrote:
Hi Michael,
On 11/03/2024 17:34, Michael Tremer wrote:
Is anyone happy to grab this one?
I will pick it up. Regards, Adolf.
Begin forwarded message:
From: Damien Miller djm@cvs.openbsd.org Subject: [openssh-unix-announce] Announce: OpenSSH 9.7 released Date: 11 March 2024 at 10:41:13 GMT To: openssh-unix-announce@mindrot.org
OpenSSH 9.7 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html
Future deprecation notice
OpenSSH plans to remove support for the DSA signature algorithm in early 2025 and compile-time disable it later this year.
DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is only 80 bits symmetric equivalent.
OpenSSH has disabled DSA keys by default since 2015 but has retained run-time optional support for them. DSA was the only mandatory-to- implement algorithm in the SSHv2 RFCs[3], mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was specified.
This has not been the case for decades at this point and better algorithms are well supported by all actively-maintained SSH implementations. We do not consider the costs of maintaining DSA in OpenSSH to be justified and hope that removing it from OpenSSH can accelerate its wider deprecation in supporting cryptography libraries.
This release makes DSA support in OpenSSH compile-time optional, defaulting to on. We intend the next release to change the default to disable DSA at compile time. The first OpenSSH release of 2025 will remove DSA support entirely.
Changes since OpenSSH 9.6
This release contains mostly bugfixes.
New features
ssh(1), sshd(8): add a "global" ChannelTimeout type that watches all open channels and will close all open channels if there is no traffic on any of them for the specified interval. This is in addition to the existing per-channel timeouts added recently.
This supports situations like having both session and x11 forwarding channels open where one may be idle for an extended period but the other is actively used. The global timeout could close both channels when both have been idle for too long.
All: make DSA key support compile-time optional, defaulting to on.
Bugfixes
sshd(8): don't append an unnecessary space to the end of subsystem arguments (bz3667)
ssh(1): fix the multiplexing "channel proxy" mode, broken when keystroke timing obfuscation was added. (GHPR#463)
ssh(1), sshd(8): fix spurious configuration parsing errors when options that accept array arguments are overridden (bz3657).
ssh-agent(1): fix potential spin in signal handler (bz3670)
Many fixes to manual pages and other documentation, including GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
Greatly improve interop testing against PuTTY.
Portability
Improve the error message when the autoconf OpenSSL header check fails (bz#3668)
Improve detection of broken toolchain -fzero-call-used-regs support (bz3645).
Fix regress/misc/fuzz-harness fuzzers and make them compile without warnings when using clang16
Checksums:
SHA1 (openssh-9.7.tar.gz) = 163272058edc20a8fde81661734a6684c9b4db11
SHA256 (openssh-9.7.tar.gz) = gXDWrF4wN2UWyPjyjvVhpjjKd7D2qI6LyZiIYhbJQVg=
SHA1 (openssh-9.7p1.tar.gz) = ce8985ea0ea2f16a5917fd982ade0972848373cc
SHA256 (openssh-9.7p1.tar.gz) = SQQm92bYKidj/KzY2D6j1weYdQx70q/y5X3FZg93P/0=
Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
Reporting Bugs:
- Please read https://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com _______________________________________________ openssh-unix-announce mailing list openssh-unix-announce@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-announce
-- Sent from my laptop
-
Adolf Belka -
Michael Tremer