4d3fc8b057
This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
54 lines
2.1 KiB
Plaintext
54 lines
2.1 KiB
Plaintext
See https://www.openssh.com/releasenotes.html#9.3p1 for the release
|
|
notes.
|
|
|
|
Please read https://www.openssh.com/report.html for bug reporting
|
|
instructions and note that we do not use Github for bug reporting or
|
|
patch/pull-request management.
|
|
|
|
This is the port of OpenBSD's excellent OpenSSH[0] to Linux and other
|
|
Unices.
|
|
|
|
OpenSSH is based on the last free version of Tatu Ylonen's sample
|
|
implementation with all patent-encumbered algorithms removed (to
|
|
external libraries), all known security bugs fixed, new features
|
|
reintroduced and many other clean-ups. OpenSSH has been created by
|
|
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt,
|
|
and Dug Song. It has a homepage at https://www.openssh.com/
|
|
|
|
This port consists of the re-introduction of autoconf support, PAM
|
|
support, EGD/PRNGD support and replacements for OpenBSD library
|
|
functions that are (regrettably) absent from other unices. This port
|
|
has been best tested on AIX, Cygwin, HP-UX, Linux, MacOS/X,
|
|
FreeBSD, NetBSD, OpenBSD, OpenServer, Solaris and UnixWare.
|
|
|
|
This version actively tracks changes in the OpenBSD CVS repository.
|
|
|
|
The PAM support is now more functional than the popular packages of
|
|
commercial ssh-1.2.x. It checks "account" and "session" modules for
|
|
all logins, not just when using password authentication.
|
|
|
|
There is now several mailing lists for this port of OpenSSH. Please
|
|
refer to https://www.openssh.com/list.html for details on how to join.
|
|
|
|
Please send bug reports and patches to https://bugzilla.mindrot.org or
|
|
the mailing list openssh-unix-dev@mindrot.org. To mitigate spam, the
|
|
list only allows posting from subscribed addresses. Code contribution
|
|
are welcomed, but please follow the OpenBSD style guidelines[1].
|
|
|
|
Please refer to the INSTALL document for information on dependencies and
|
|
how to install OpenSSH on your system.
|
|
|
|
Damien Miller <djm@mindrot.org>
|
|
|
|
Miscellania -
|
|
|
|
This version of OpenSSH is based upon code retrieved from the OpenBSD CVS
|
|
repository which in turn was based on the last free sample implementation
|
|
released by Tatu Ylonen.
|
|
|
|
References -
|
|
|
|
[0] https://www.openssh.com/
|
|
[1] https://man.openbsd.org/style.9
|
|
|