[PATCH] openssh: Update to 8.5p1
peter.mueller at ipfire.org
Fri Mar 5 18:25:11 UTC 2021
thank you for your work and this well documented patch. :-)
Reviewed-by: Peter Müller <peter.mueller at ipfire.org>
Thanks, and best regards,
> - Update Openssh from 8.4p1 to 8.5p1
> - rootfiles not changed
> - ssh access by keys tested with 8.5p1 and successfully worked
> - Full Release notes can be read at https://www.openssh.com/releasenotes.html
> - Future deprecation notice
> It is now possible to perform chosen-prefix attacks against the
> SHA-1 algorithm for less than USD$50K.
> In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1
> hash algorithm in conjunction with the RSA public key algorithm.
> OpenSSH will disable this signature scheme by default in the near
> Note that the deactivation of "ssh-rsa" signatures does not necessarily
> require cessation of use for RSA keys. In the SSH protocol, keys may be
> capable of signing using multiple algorithms. In particular, "ssh-rsa"
> keys are capable of signing using "rsa-sha2-256" (RSA/SHA256),
> "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of
> these is being turned off by default.
> - Checked if the weak ssh-rsa public key algorithm was being used with
> openssh8.4p1 by running
> ssh -oHostKeyAlgorithms=-ssh-rsa user at host
> host verification was successful with no issue so IPFire will not be
> affected by this deprecation when it happens
> - Potentially-incompatible changes
> * ssh(1), sshd(8): this release changes the first-preference signature
> algorithm from ECDSA to ED25519.
> This did not affect my use of ssh login but I use ED25519 as the only
> key algorithm that I use. It might be good to get it tested by
> someone who has ECDSA and ED25519 keys and prefers ECDSA
> Remaining changes don't look likely to affect IPFire users
> - Bugfixes
> * ssh(1): Prefix keyboard interactive prompts with "(user at host)" to
> make it easier to determine which connection they are associated
> with in cases like scp -3, ProxyJump, etc. bz#3224
> * sshd(8): fix sshd_config SetEnv directives located inside Match
> blocks. GHPR201
> * ssh(1): when requesting a FIDO token touch on stderr, inform the
> user once the touch has been recorded.
> * ssh(1): prevent integer overflow when ridiculously large
> ConnectTimeout values are specified, capping the effective value
> (for most platforms) at 24 days. bz#3229
> * ssh(1): consider the ECDSA key subtype when ordering host key
> algorithms in the client.
> * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to
> PubkeyAcceptedAlgorithms. The previous name incorrectly suggested
> that it control allowed key algorithms, when this option actually
> specifies the signature algorithms that are accepted. The previous
> name remains available as an alias. bz#3253
> * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and
> HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms.
> * sftp-server(8): add missing lsetstat at openssh.com documentation
> and advertisement in the server's SSH2_FXP_VERSION hello packet.
> * ssh(1), sshd(8): more strictly enforce KEX state-machine by
> banning packet types once they are received. Fixes memleak caused
> by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).
> * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit
> platforms instead of being limited by LONG_MAX. bz#3206
> * Minor man page fixes (capitalization, commas, etc.) bz#3223
> * sftp(1): when doing an sftp recursive upload or download of a
> read-only directory, ensure that the directory is created with
> write and execute permissions in the interim so that the transfer
> can actually complete, then set the directory permission as the
> final step. bz#3222
> * ssh-keygen(1): document the -Z, check the validity of its argument
> earlier and provide a better error message if it's not correct.
> * ssh(1): ignore comments at the end of config lines in ssh_config,
> similar to what we already do for sshd_config. bz#2320
> * sshd_config(5): mention that DisableForwarding is valid in a
> sshd_config Match block. bz3239
> * sftp(1): fix incorrect sorting of "ls -ltr" under some
> circumstances. bz3248.
> * ssh(1), sshd(8): fix potential integer truncation of (unlikely)
> timeout values. bz#3250
> * ssh(1): make hostbased authentication send the signature algorithm
> in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type.
> This make HostbasedAcceptedAlgorithms do what it is supposed to -
> filter on signature algorithm and not key type.
> Signed-off-by: Adolf Belka <adolf.belka at ipfire.org>
> lfs/openssh | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
> diff --git a/lfs/openssh b/lfs/openssh
> index 5143f4154..2a07d9e65 100644
> --- a/lfs/openssh
> +++ b/lfs/openssh
> @@ -24,7 +24,7 @@
> include Config
> -VER = 8.4p1
> +VER = 8.5p1
> THISAPP = openssh-$(VER)
> DL_FILE = $(THISAPP).tar.gz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> -$(DL_FILE)_MD5 = 8f897870404c088e4aa7d1c1c58b526b
> +$(DL_FILE)_MD5 = 9eb9420cf587edc26f8998ab679ad390
> install : $(TARGET)
More information about the Development