Tux Machines

Do you waddle the waddle?

Other Sites

OpenSSH 9.1 released (UPDATED)

posted by Roy Schestowitz on Oct 04, 2022,
updated Oct 05, 2022

OpenSSH 9.1 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html
Changes since OpenSSH 9.0 =========================
This release is focused on bug fixing.
Security ========
This release contains fixes for three minor memory safety problems. None are believed to be exploitable, but we report most memory safety problems as potential security vulnerabilities out of caution.
* ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing. Reported by Qualys
* ssh-keygen(1): double free() in error path of file hashing step in signing/verify code; GHPR333
* ssh-keysign(8): double-free in error path introduced in openssh-8.9
Potentially-incompatible changes --------------------------------
* The portable OpenSSH project now signs commits and release tags using git's recent SSH signature support. The list of developer signing keys is included in the repository as .git_allowed_signers and is cross-signed using the PGP key that is still used to sign release artifacts: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
* ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438
* ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years.
New features ------------
* ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8).
ssh(1) will terminate a connection if the server offers an RSA key that falls below this limit, as the SSH protocol does not include the ability to retry a failed key exchange.
* sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids.
* sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings.
* sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it.
* ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character.
Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468
* sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3"
* ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429
Bugfixes --------
* ssh-keygen(1): implement the "verify-required" certificate option. This was already documented when support for user-verified FIDO keys was added, but the ssh-keygen(1) code was missing.
* ssh-agent(1): hook up the restrict_websafe command-line flag; previously the flag was accepted but never actually used.
* sftp(1): improve filename tab completions: never try to complete names to non-existent commands, and better match the completion type (local or remote filename) against the argument position being completed.
* ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key handling, especially relating to keys that request user-verification. These should reduce the number of unnecessary PIN prompts for keys that support intrinsic user verification. GHPR302, GHPR329
* ssh-keygen(1): when enrolling a FIDO resident key, check if a credential with matching application and user ID strings already exists and, if so, prompt the user for confirmation before overwriting the credential. GHPR329
* sshd(8): improve logging of errors when opening authorized_keys files. bz2042
* ssh(1): avoid multiplexing operations that could cause SIGPIPE from causing the client to exit early. bz3454
* ssh_config(5), sshd_config(5): clarify that the RekeyLimit directive applies to both transmitted and received data. GHPR328
* ssh-keygen(1): avoid double fclose() in error path.
* sshd(8): log an error if pipe() fails while accepting a connection. bz3447
* ssh(1), ssh-keygen(1): fix possible NULL deref when built without FIDO support. bz3443
* ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage. GHPR294.
* sshd(8): ensure that authentication passwords are cleared from memory in error paths. GHPR286
* ssh(1), ssh-agent(1): avoid possibility of notifier code executing kill(-1). GHPR286
* ssh_config(5): note that the ProxyJump directive also accepts the same tokens as ProxyCommand. GHPR305.
* scp(1): do not not ftruncate(3) files early when in sftp mode. The previous behaviour of unconditionally truncating the destination file would cause "scp ~/foo localhost:foo" and the reverse "scp localhost:foo ~/foo" to delete all the contents of their destination. bz3431
* ssh-keygen(1): improve error message when 'ssh-keygen -Y sign' is unable to load a private key; bz3429
* sftp(1), scp(1): when performing operations that glob(3) a remote path, ensure that the implicit working directory used to construct that path escapes glob(3) characters. This prevents glob characters from being processed in places they shouldn't, e.g. "cd /tmp/a*/", "get *.txt" should have the get operation treat the path "/tmp/a*" literally and not attempt to expand it.
* ssh(1), sshd(8): be stricter in which characters will be accepted in specifying a mask length; allow only 0-9. GHPR278
* ssh-keygen(1): avoid printing hash algorithm twice when dumping a KRL
* ssh(1), sshd(8): continue running local I/O for open channels during SSH transport rekeying. This should make ~-escapes work in the client (e.g. to exit) if the connection happened to have stalled during a rekey event.
* ssh(1), sshd(8): avoid potential poll() spin during rekeying
* Further hardening for sshbuf internals: disallow "reparenting" a hierarchical sshbuf and zero the entire buffer if reallocation fails. GHPR287
Portability -----------
* ssh(1), ssh-keygen(1), sshd(8): automatically enable the built-in FIDO security key support if libfido2 is found and usable, unless --without-security-key-builtin was requested.
* ssh(1), ssh-keygen(1), sshd(8): many fixes to make the WinHello FIDO device usable on Cygwin. The windows://hello FIDO device will be automatically used by default on this platform unless requested otherwise, or when probing resident FIDO credentials (an operation not currently supported by WinHello).
* Portable OpenSSH: remove workarounds for obsolete and unsupported versions of OpenSSL libcrypto. In particular, this release removes fallback support for OpenSSL that lacks AES-CTR or AES-GCM.
Those AES cipher modes were added to OpenSSL prior to the minimum version currently supported by OpenSSH, so this is not expected to impact any currently supported configurations.
* sshd(8): fix SANDBOX_SECCOMP_FILTER_DEBUG on current Linux/glibc
* All: resync and clean up internal CSPRNG code.
* scp(1), sftp(1), sftp-server(8): avoid linking these programs with unnecessary libraries. They are no longer linked against libz and libcrypto. This may be of benefit to space constrained systems using any of those components in isolation.
* sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox architectures.
* configure: remove special casing of crypt(). configure will no longer search for crypt() in libcrypto, as it was removed from there years ago. configure will now only search libc and libcrypt.
* configure: refuse to use OpenSSL 3.0.4 due to potential RCE in its RSA implementation (CVE-2022-2274) on x86_64.
* All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR#322
* ssh(1), ssh-keygen(1), sshd(8): fix a number of missing includes required by the XMSS code on some platforms.
* sshd(8): cache timezone data in capsicum sandbox.
Checksums: ==========
- SHA1 (openssh-9.1.tar.gz) = 3ae2d6a3a695d92778c4c4567dcd6ad481092f6c - SHA256 (openssh-9.1.tar.gz) = QKfVArlcItV+e8V1Th85TL5//5d/AvOUhYOeHMDEGuE=
- SHA1 (openssh-9.1p1.tar.gz) = 15545440268967511d3194ebf20bcd0c7ff3fcc9 - SHA256 (openssh-9.1p1.tar.gz) = GfhQCcfj4jeH8CNvuxV4OSq01L+fjsX+a8HNfov90og=
Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
Reporting Bugs: ===============
- Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com

UPDATE

A couple of reference pages:

Other Recent Tux Machines' Posts

Only 166 Voters in Fedora Elections Under IBM
very low
OpenShot 3.3 Open-Source Video Editor Is Now Available, Here’s What’s New
OpenShot creator Jonathan Thomas announced today the release and general availability of OpenShot 3.3 as a major update to this open-source, cross-platform, and free video editing software.
siduction Linux 2024.1.0 Released with Xfce 4.20, KDE Plasma 6.2, and LXQt 2.1
siduction 2024.1.0 has been released today as a major update to this Debian-based GNU/Linux distribution featuring some of the latest and greatest technologies and desktop environments.
Applications: Popcorn Time, Flatpak, ScummVM, Calibre
Software and news about "apps" (Applications)
Serpent OS Enters Alpha with GNOME and COSMIC Spins, Powered by Linux 6.12 LTS
Ikey Doherty released today the long-anticipated alpha version of his new independent Linux distro, Serpent OS, which features some of the latest and greatest technologies and applications.
CachyOS Now Uses AutoFDO Kernel as Default Across All Supported Architectures
Today, the development team behind the Arch Linux-based CachyOS distribution released a new ISO snapshot for December 2024 with various improvements, updated components, a new default kernel, and other changes.
Fedora Asahi Remix 41 Released for Apple Silicon Macs with KDE Plasma 6.2
Today, the Fedora and Asahi Linux projects announced the general availability of Fedora Asahi Remix 41 as the latest version of this distribution developed for Apple Silicon Macs.
29,000 Pages With the SSG [original]
Static site generators (SSGs) are a lot easier to work with
 
T2 SDE release version 24.12
The release contains a total of 2158 changesets, including approximately 3280 package updates, 200 fixed issues, 206 packages or features added and 37 removed and around 20 improvements
today's leftovers
FOSS and standards
Programming Leftovers
Development news
Open Hardware/Modding: SBCs, ESP32, and More
Hardware news
Audiocasts/Shows: Bryan Lunduke on Wikipedia, LinDoz Preview, and Late Night Linux
3 new videos/shows
Canonical/Ubuntu: Weekly Newsletter and What to know when procuring GNU/Linux laptops
a pair of updates
Debian: free software career, Debian mirrors, dropping the git protocol, and more
Debian people talking about projects
Distributions and Operating Systems: DR-DOS and EasyOS/OpenEmbedded
Some OS news
BSD: zpool, OPNsense, and Emulating *BSD on ARM
BSD picks for today
Security Leftovers
Security picks
CapyPDF 0.14 is out
It has required a lot of refactoring work in the color code of Inkscape proper
today's howtos
Instructionals/Technical posts
Today in Techrights
Some of the latest articles
4MLinux 47.0 Released with Installation Support for Virtual (KVM) Block Devices
4MLinux developer Zbigniew Konojacki announced today the release and general availability of 4MLinux 47.0 as the latest stable version of this mini Linux distribution featuring the lightweight JWM window manager.
Android Leftovers
MECOOL KM9PRO MAX 4K Streaming Box runs Google TV 12.0 on Realtek RTD1325 SoC
Why I no longer recommend this Windows-like Linux distro
I learned a troubling lesson that points to a growing issue within the open-source community
The best Linux distribution of 2024 is MacOS-like but accessible to all
I've used and covered Linux for nearly 30 years
today's howtos
long batch for xmas eve
GNU Releases: parallel, gtypist, and texinfo
3 new releases
today's leftovers
mostly security related
Raspberry Pi, Unix Workstations, Open Hardware, Arduino, and More
hardware news
What do I want to see in the Linux ecosystem in 2025?
The expectations are high for the Linux ecosystem in 2025. What do you think
What Is Linux Mint, and Why Would You Use It?
If you’ve been thinking of switching to Linux, one of the options you may have come across is Linux Mint
A warm December embrace for you
It’s that time of year again—the time to get together with loved ones and to reflect
Ultramarine Linux 40 continues to be one fine unofficial Fedora Spin
If you're looking for a version of Fedora that offers a few extra tweaks to make the desktop even more user-friendly
Best Free and Open Source Software
We recommend the best free and open source alternatives
the twenty-fifth year of my free software career
I've been lucky to be able to spend twenty! five! years! developing free software and making a living on it
The One With Androids & Cameras, But It's Mainline Linux
One thing that people have been asking us over and over is, will it be possible to use cameras with postmarketOS on Androids
Debian Mirrors Hierarchy
After finding AlmaLinux sync capacity is around 140Gbps at Tier 0 (or Tier 1, however you look at it)
The Linux log files you should know and how to use them
If you really want to see what's happening beneath the hood of your Linux distribution
This Linux distro I recommend to power users takes a unique approach to OS design
NixOS is a rock-solid OS with various layouts and an array of functionalities
A Brief History of FAI, Which Began 25 Years Ago
On Dec 21st, 1999 version 1.0 of FAI (Fully Automatic Installation) was announced
Today in Techrights
Some of the latest articles
postmarketOS 24.12 Released with KDE Plasma Mobile 6.2.4, GNOME Shell 46
postmarketOS 24.12 was released today as the latest version of this Linux-based operating system for mobile devices that brings new features, support for new devices, and updated components.
Want a Really Lightweight Desktop Linux Experience? Try a Window Manager
Window managers manage only windows in the X Window System, providing you an alternative to Linux desktop environments
GNU/Linux and Free Software Stories
today's leftovers
Programming Leftovers
Development news
Distributions and Operating Systems: NixOS Hates Precompiled Programs, EasyOS File Information App
2 OS related picks
BSD Leftovers
BSD people and their reasonably technical posts
Audiocasts/Shows: LINUX Unplugged and Open Source Security Podcast
a pair of episodes
Kernel: Unleashing the kernel with eBPF Steinar H. Gunderson's Kernel adventures
some Linux pieces
Open Hardware/Modding/Retro: Raspberry Pi, ESP32, and More
Hardware picks for today
today's howtos
many for today
Security Leftovers
Security related picks, Windows too
Darktable 5.0 Open-Source RAW Image Editor Officially Released, Here’s What’s New
Darktable 5.0 open-source raw image editor has been released today as a major update introducing new features, improvements, and enhanced camera support.
Linux 6.13-rc4
So this definitely is looking a bit smaller than most rc4s
Android Leftovers
Google proposes Android, browser contract changes to address Search antitrust ruling
OpenShot 3.3 Pre-Release Introduces Fresh UI and Performance Boosts
The pre-release OpenShot 3.3 open-source video editor debuts the "Cosmic Dusk" theme
9to5Linux Weekly Roundup: December 22nd, 2024
The 219th installment of the 9to5Linux Weekly Roundup is here for the week ending on December 22nd, 2024.
Free and Open Source Software
This is free and open source software
Review: The best of 2024
Another calendar year is drawing to a close
Archman XFCE Edition 2024-12 Stable Release
Archman XFCE Edition 2024-12, the final stable release of the year
AlmaLinux 10 Beta Offers Early Access to Key Upgrades
Get hands-on with AlmaLinux 10 Beta, featuring new x86_64_v2 support, top-tier toolsets
Today in Techrights
Some of the latest articles