===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/61.html,v
retrieving revision 1.78
retrieving revision 1.79
diff -c -r1.78 -r1.79
*** www/61.html 2017/04/07 17:38:52 1.78
--- www/61.html 2017/04/08 14:53:35 1.79
***************
*** 497,503 ****
OpenSSH 7.4
--- 497,720 ----
OpenSSH 7.4
! - Security:
!
! - ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
! outside a trusted whitelist (run-time configurable). Requests to
! load modules could be passed via agent forwarding and an attacker
! could attempt to load a hostile PKCS#11 module across the forwarded
! agent channel: PKCS#11 modules are shared libraries, so this would
! result in code execution on the system running the ssh-agent if the
! attacker has control of the forwarded agent-socket (on the host
! running the sshd server) and the ability to write to the filesystem
! of the host running ssh-agent (usually the host running the ssh
! client).
!
- sshd(8): When privilege separation is disabled, forwarded Unix-
! domain sockets would be created by sshd(8) with the privileges of
! 'root' instead of the authenticated user. This release refuses
! Unix-domain socket forwarding when privilege separation is disabled
! (Privilege separation has been enabled by default for 14 years).
!
- sshd(8): Avoid theoretical leak of host private key material to
! privilege-separated child processes via realloc() when reading
! keys. No such leak was observed in practice for normal-sized keys,
! nor does a leak to the child processes directly expose key material
! to unprivileged users.
!
- sshd(8): The shared memory manager used by pre-authentication
! compression support had a bounds checks that could be elided by
! some optimising compilers. Additionally, this memory manager was
! incorrectly accessible when pre-authentication compression was
! disabled. This could potentially allow attacks against the
! privileged monitor process from the sandboxed privilege-separation
! process (a compromise of the latter would be required first).
! This release removes support for pre-authentication compression
! from sshd(8).
!
- sshd(8): Fix denial-of-service condition where an attacker who
! sends multiple KEXINIT messages may consume up to 128MB per
! connection.
!
- sshd(8): Validate address ranges for AllowUser and DenyUsers
! directives at configuration load time and refuse to accept invalid
! ones. It was previously possible to specify invalid CIDR address
! ranges (e.g. user@127.1.2.3/55) and these would always match,
! possibly resulting in granting access where it was not intended.
!
- ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
! that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
!
- sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
! a recursive file transfer could be maniuplated by a hostile server to
! perform a path-traversal attack. creating or modifying files outside
! of the intended target directory.
!
! - New/changed features:
!
! - Server support for the SSH v.1 protocol has been removed.
!
- ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
! block ciphers are not safe in 2016 and we don't want to wait until
! attacks like SWEET32 are extended to SSH. As 3des-cbc was the
! only mandatory cipher in the SSH RFCs, this may cause problems
! connecting to older devices using the default configuration,
! but it's highly likely that such devices already need explicit
! configuration for key exchange and hostkey algorithms already
! anyway.
!
- sshd(8): Remove support for pre-authentication compression.
! Doing compression early in the protocol probably seemed reasonable
! in the 1990s, but today it's clearly a bad idea in terms of both
! cryptography (cf. multiple compression oracle attacks in TLS) and
! attack surface. Pre-auth compression support has been disabled by
! default for >10 years. Support remains in the client.
!
- ssh-agent will refuse to load PKCS#11 modules outside a whitelist
! of trusted paths by default. The path whitelist may be specified
! at run-time.
!
- sshd(8): When a forced-command appears in both a certificate and
! an authorized keys/principals command= restriction, sshd will now
! refuse to accept the certificate unless they are identical.
! The previous (documented) behaviour of having the certificate
! forced-command override the other could be a bit confusing and
! error-prone.
!
- sshd(8): Remove the UseLogin configuration directive and support
! for having /bin/login manage login sessions.
!
- ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the
! version in PuTTY by Simon Tatham. This allows a multiplexing
! client to communicate with the master process using a subset of
! the SSH packet and channels protocol over a Unix-domain socket,
! with the main process acting as a proxy that translates channel
! IDs, etc. This allows multiplexing mode to run on systems that
! lack file- descriptor passing (used by current multiplexing
! code) and potentially, in conjunction with Unix-domain socket
! forwarding, with the client and multiplexing master process on
! different machines. Multiplexing proxy mode may be invoked using
! "ssh -O proxy ..."
!
- sshd(8): Add a sshd_config DisableForwarding option that disables
! X11, agent, TCP, tunnel and Unix domain socket forwarding, as well
! as anything else we might implement in the future. Like the
! 'restrict' authorized_keys flag, this is intended to be a simple
! and future-proof way of restricting an account.
!
- sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
! method. This is identical to the currently-supported method named
! "curve25519-sha256@libssh.org".
!
- sshd(8): Improve handling of SIGHUP by checking to see if sshd is
! already daemonised at startup and skipping the call to daemon(3)
! if it is. This ensures that a SIGHUP restart of sshd(8) will
! retain the same process-ID as the initial execution. sshd(8) will
! also now unlink the PidFile prior to SIGHUP restart and re-create
! it after a successful restart, rather than leaving a stale file in
! the case of a configuration error.
!
- sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
! directives to appear in sshd_config Match blocks.
!
- sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match
! those supported by AuthorizedKeysCommand (key, key type,
! fingerprint, etc.) and a few more to provide access to the
! contents of the certificate being offered.
!
- Added regression tests for string matching, address matching and
! string sanitisation functions.
!
- Improved the key exchange fuzzer harness.
!
- Deprecate the sshd_config UsePrivilegeSeparation
! option, thereby making privilege separation mandatory. Privilege
! separation has been on by default for almost 15 years and
! sandboxing has been on by default for almost the last five.
!
- ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
! algorithm lists, e.g. Ciphers=-*cbc.
!
! - The following significant bugs have been fixed in this release:
!
! - ssh(1): Allow IdentityFile to successfully load and use
! certificates that have no corresponding bare public key.
! certificate id_rsa-cert.pub (and no id_rsa.pub).
!
- ssh(1): Fix public key authentication when multiple
! authentication is in use and publickey is not just the first
! method attempted.
!
- ssh-agent(1), ssh(1): improve reporting when attempting to load
! keys from PKCS#11 tokens with fewer useless log messages and more
! detail in debug messages.
!
- ssh(1): When tearing down ControlMaster connections, don't
! pollute stderr when LogLevel=quiet.
!
- sftp(1): On ^Z wait for underlying ssh(1) to suspend before
! suspending sftp(1) to ensure that ssh(1) restores the terminal mode
! correctly if suspended during a password prompt.
!
- ssh(1): Avoid busy-wait when ssh(1) is suspended during a password
! prompt.
!
- ssh(1), sshd(8): Correctly report errors during sending of ext-
! info messages.
!
- sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
! sequence NEWKEYS message.
!
- sshd(8): Correct list of supported signature algorithms sent in
! the server-sig-algs extension.
!
- sshd(8): Fix sending ext_info message if privsep is disabled.
!
- sshd(8): more strictly enforce the expected ordering of privilege
! separation monitor calls used for authentication and allow them
! only when their respective authentication methods are enabled
! in the configuration
!
- sshd(8): Fix uninitialised optlen in getsockopt() call; harmless
! on Unix/BSD but potentially crashy on Cygwin.
!
- Fix false positive reports caused by explicit_bzero(3) not being
! recognised as a memory initialiser when compiled with
! -fsanitize-memory.
!
- sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for
! configuration examples.
!
- sshd(1): Fix NULL dereference crash when key exchange start
! messages are sent out of sequence.
!
- ssh(1), sshd(8): Allow form-feed characters to appear in
! configuration files.
!
- sshd(8): Fix regression in OpenSSH 7.4 support for the
! server-sig-algs extension, where SHA2 RSA signature methods were
! not being correctly advertised.
!
- ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
! known_hosts processing.
!
- ssh(1): Allow ssh to use certificates accompanied by a private key
! file but no corresponding plain *.pub public key.
!
- ssh(1): When updating hostkeys using the UpdateHostKeys option,
! accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
! Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*
! methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
! method.
!
- ssh(1): Detect and report excessively long configuration file
! lines.
!
- Merge a number of fixes found by Coverity and reported via Redhat
! and FreeBSD. Includes fixes for some memory and file descriptor
! leaks in error paths.
!
- ssh-keyscan(1): Correctly hash hosts with a port number.
!
- ssh(1), sshd(8): When logging long messages to stderr, don't truncate
! "\r\n" if the length of the message exceeds the buffer.
!
- ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
! line; avoid confusion over IPv6 addresses and shells that treat
! square bracket characters specially.
!
- ssh-keygen(1): Fix corruption of known_hosts when running
! "ssh-keygen -H" on a known_hosts containing already-hashed entries.
!
- Fix various fallout and sharp edges caused by removing SSH protocol
! 1 support from the server, including the server banner string being
! incorrectly terminated with only \n (instead of \r\n), confusing
! error messages from ssh-keyscan a segfault in sshd
! if protocol v.1 was enabled for the client and sshd_config
! contained references to legacy keys.
!
- ssh(1), sshd(8): Free fd_set on connection timeout.
!
- sshd(8): Fix Unix domain socket forwarding for root (regression in
! OpenSSH 7.4).
!
- sftp(1): Fix division by zero crash in "df" output when server
! returns zero total filesystem blocks/inodes.
!
- ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
! encountered during key loading to more meaningful error codes.
!
- ssh-keygen(1): Sanitise escape sequences in key comments sent to
! printf but preserve valid UTF-8 when the locale supports it.
!
- ssh(1), sshd(8): Return reason for port forwarding failures where
! feasible rather than always "administratively prohibited".
!
- sshd(8): Fix deadlock when AuthorizedKeysCommand or
! AuthorizedPrincipalsCommand produces a lot of output and a key is
! matched early.
!
- ssh(1): Fix typo in ~C error message for bad port forward
! cancellation.
!
- ssh(1): Show a useful error message when included config files
! can't be opened.
!
- sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page
! (previously incorrectly) advertised.
!
- sshd_config(5): Repair accidentally-deleted mention of %k token
! in AuthorizedKeysCommand.
!
- sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM;
!
- ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
! common 32-bit compatibility library directories.
!
- sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
! response handling.
!
- ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted
! keys. It was not possible to delete them except by specifying
! their full physical path.
!