===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/61.html,v
retrieving revision 1.78
retrieving revision 1.79
diff -u -r1.78 -r1.79
--- www/61.html 2017/04/07 17:38:52 1.78
+++ www/61.html 2017/04/08 14:53:35 1.79
@@ -497,7 +497,224 @@
OpenSSH 7.4
- - ...
+
- Security:
+
+ - ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
+ outside a trusted whitelist (run-time configurable). Requests to
+ load modules could be passed via agent forwarding and an attacker
+ could attempt to load a hostile PKCS#11 module across the forwarded
+ agent channel: PKCS#11 modules are shared libraries, so this would
+ result in code execution on the system running the ssh-agent if the
+ attacker has control of the forwarded agent-socket (on the host
+ running the sshd server) and the ability to write to the filesystem
+ of the host running ssh-agent (usually the host running the ssh
+ client).
+
- sshd(8): When privilege separation is disabled, forwarded Unix-
+ domain sockets would be created by sshd(8) with the privileges of
+ 'root' instead of the authenticated user. This release refuses
+ Unix-domain socket forwarding when privilege separation is disabled
+ (Privilege separation has been enabled by default for 14 years).
+
- sshd(8): Avoid theoretical leak of host private key material to
+ privilege-separated child processes via realloc() when reading
+ keys. No such leak was observed in practice for normal-sized keys,
+ nor does a leak to the child processes directly expose key material
+ to unprivileged users.
+
- sshd(8): The shared memory manager used by pre-authentication
+ compression support had a bounds checks that could be elided by
+ some optimising compilers. Additionally, this memory manager was
+ incorrectly accessible when pre-authentication compression was
+ disabled. This could potentially allow attacks against the
+ privileged monitor process from the sandboxed privilege-separation
+ process (a compromise of the latter would be required first).
+ This release removes support for pre-authentication compression
+ from sshd(8).
+
- sshd(8): Fix denial-of-service condition where an attacker who
+ sends multiple KEXINIT messages may consume up to 128MB per
+ connection.
+
- sshd(8): Validate address ranges for AllowUser and DenyUsers
+ directives at configuration load time and refuse to accept invalid
+ ones. It was previously possible to specify invalid CIDR address
+ ranges (e.g. user@127.1.2.3/55) and these would always match,
+ possibly resulting in granting access where it was not intended.
+
- ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
+ that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
+
- sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
+ a recursive file transfer could be maniuplated by a hostile server to
+ perform a path-traversal attack. creating or modifying files outside
+ of the intended target directory.
+
+ - New/changed features:
+
+ - Server support for the SSH v.1 protocol has been removed.
+
- ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
+ block ciphers are not safe in 2016 and we don't want to wait until
+ attacks like SWEET32 are extended to SSH. As 3des-cbc was the
+ only mandatory cipher in the SSH RFCs, this may cause problems
+ connecting to older devices using the default configuration,
+ but it's highly likely that such devices already need explicit
+ configuration for key exchange and hostkey algorithms already
+ anyway.
+
- sshd(8): Remove support for pre-authentication compression.
+ Doing compression early in the protocol probably seemed reasonable
+ in the 1990s, but today it's clearly a bad idea in terms of both
+ cryptography (cf. multiple compression oracle attacks in TLS) and
+ attack surface. Pre-auth compression support has been disabled by
+ default for >10 years. Support remains in the client.
+
- ssh-agent will refuse to load PKCS#11 modules outside a whitelist
+ of trusted paths by default. The path whitelist may be specified
+ at run-time.
+
- sshd(8): When a forced-command appears in both a certificate and
+ an authorized keys/principals command= restriction, sshd will now
+ refuse to accept the certificate unless they are identical.
+ The previous (documented) behaviour of having the certificate
+ forced-command override the other could be a bit confusing and
+ error-prone.
+
- sshd(8): Remove the UseLogin configuration directive and support
+ for having /bin/login manage login sessions.
+
- ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the
+ version in PuTTY by Simon Tatham. This allows a multiplexing
+ client to communicate with the master process using a subset of
+ the SSH packet and channels protocol over a Unix-domain socket,
+ with the main process acting as a proxy that translates channel
+ IDs, etc. This allows multiplexing mode to run on systems that
+ lack file- descriptor passing (used by current multiplexing
+ code) and potentially, in conjunction with Unix-domain socket
+ forwarding, with the client and multiplexing master process on
+ different machines. Multiplexing proxy mode may be invoked using
+ "ssh -O proxy ..."
+
- sshd(8): Add a sshd_config DisableForwarding option that disables
+ X11, agent, TCP, tunnel and Unix domain socket forwarding, as well
+ as anything else we might implement in the future. Like the
+ 'restrict' authorized_keys flag, this is intended to be a simple
+ and future-proof way of restricting an account.
+
- sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
+ method. This is identical to the currently-supported method named
+ "curve25519-sha256@libssh.org".
+
- sshd(8): Improve handling of SIGHUP by checking to see if sshd is
+ already daemonised at startup and skipping the call to daemon(3)
+ if it is. This ensures that a SIGHUP restart of sshd(8) will
+ retain the same process-ID as the initial execution. sshd(8) will
+ also now unlink the PidFile prior to SIGHUP restart and re-create
+ it after a successful restart, rather than leaving a stale file in
+ the case of a configuration error.
+
- sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
+ directives to appear in sshd_config Match blocks.
+
- sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match
+ those supported by AuthorizedKeysCommand (key, key type,
+ fingerprint, etc.) and a few more to provide access to the
+ contents of the certificate being offered.
+
- Added regression tests for string matching, address matching and
+ string sanitisation functions.
+
- Improved the key exchange fuzzer harness.
+
- Deprecate the sshd_config UsePrivilegeSeparation
+ option, thereby making privilege separation mandatory. Privilege
+ separation has been on by default for almost 15 years and
+ sandboxing has been on by default for almost the last five.
+
- ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
+ algorithm lists, e.g. Ciphers=-*cbc.
+
+ - The following significant bugs have been fixed in this release:
+
+ - ssh(1): Allow IdentityFile to successfully load and use
+ certificates that have no corresponding bare public key.
+ certificate id_rsa-cert.pub (and no id_rsa.pub).
+
- ssh(1): Fix public key authentication when multiple
+ authentication is in use and publickey is not just the first
+ method attempted.
+
- ssh-agent(1), ssh(1): improve reporting when attempting to load
+ keys from PKCS#11 tokens with fewer useless log messages and more
+ detail in debug messages.
+
- ssh(1): When tearing down ControlMaster connections, don't
+ pollute stderr when LogLevel=quiet.
+
- sftp(1): On ^Z wait for underlying ssh(1) to suspend before
+ suspending sftp(1) to ensure that ssh(1) restores the terminal mode
+ correctly if suspended during a password prompt.
+
- ssh(1): Avoid busy-wait when ssh(1) is suspended during a password
+ prompt.
+
- ssh(1), sshd(8): Correctly report errors during sending of ext-
+ info messages.
+
- sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
+ sequence NEWKEYS message.
+
- sshd(8): Correct list of supported signature algorithms sent in
+ the server-sig-algs extension.
+
- sshd(8): Fix sending ext_info message if privsep is disabled.
+
- sshd(8): more strictly enforce the expected ordering of privilege
+ separation monitor calls used for authentication and allow them
+ only when their respective authentication methods are enabled
+ in the configuration
+
- sshd(8): Fix uninitialised optlen in getsockopt() call; harmless
+ on Unix/BSD but potentially crashy on Cygwin.
+
- Fix false positive reports caused by explicit_bzero(3) not being
+ recognised as a memory initialiser when compiled with
+ -fsanitize-memory.
+
- sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for
+ configuration examples.
+
- sshd(1): Fix NULL dereference crash when key exchange start
+ messages are sent out of sequence.
+
- ssh(1), sshd(8): Allow form-feed characters to appear in
+ configuration files.
+
- sshd(8): Fix regression in OpenSSH 7.4 support for the
+ server-sig-algs extension, where SHA2 RSA signature methods were
+ not being correctly advertised.
+
- ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
+ known_hosts processing.
+
- ssh(1): Allow ssh to use certificates accompanied by a private key
+ file but no corresponding plain *.pub public key.
+
- ssh(1): When updating hostkeys using the UpdateHostKeys option,
+ accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
+ Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*
+ methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
+ method.
+
- ssh(1): Detect and report excessively long configuration file
+ lines.
+
- Merge a number of fixes found by Coverity and reported via Redhat
+ and FreeBSD. Includes fixes for some memory and file descriptor
+ leaks in error paths.
+
- ssh-keyscan(1): Correctly hash hosts with a port number.
+
- ssh(1), sshd(8): When logging long messages to stderr, don't truncate
+ "\r\n" if the length of the message exceeds the buffer.
+
- ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
+ line; avoid confusion over IPv6 addresses and shells that treat
+ square bracket characters specially.
+
- ssh-keygen(1): Fix corruption of known_hosts when running
+ "ssh-keygen -H" on a known_hosts containing already-hashed entries.
+
- Fix various fallout and sharp edges caused by removing SSH protocol
+ 1 support from the server, including the server banner string being
+ incorrectly terminated with only \n (instead of \r\n), confusing
+ error messages from ssh-keyscan a segfault in sshd
+ if protocol v.1 was enabled for the client and sshd_config
+ contained references to legacy keys.
+
- ssh(1), sshd(8): Free fd_set on connection timeout.
+
- sshd(8): Fix Unix domain socket forwarding for root (regression in
+ OpenSSH 7.4).
+
- sftp(1): Fix division by zero crash in "df" output when server
+ returns zero total filesystem blocks/inodes.
+
- ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
+ encountered during key loading to more meaningful error codes.
+
- ssh-keygen(1): Sanitise escape sequences in key comments sent to
+ printf but preserve valid UTF-8 when the locale supports it.
+
- ssh(1), sshd(8): Return reason for port forwarding failures where
+ feasible rather than always "administratively prohibited".
+
- sshd(8): Fix deadlock when AuthorizedKeysCommand or
+ AuthorizedPrincipalsCommand produces a lot of output and a key is
+ matched early.
+
- ssh(1): Fix typo in ~C error message for bad port forward
+ cancellation.
+
- ssh(1): Show a useful error message when included config files
+ can't be opened.
+
- sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page
+ (previously incorrectly) advertised.
+
- sshd_config(5): Repair accidentally-deleted mention of %k token
+ in AuthorizedKeysCommand.
+
- sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM;
+
- ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
+ common 32-bit compatibility library directories.
+
- sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
+ response handling.
+
- ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted
+ keys. It was not possible to delete them except by specifying
+ their full physical path.
+