===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/73.html,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- www/73.html 2023/04/03 00:00:12 1.13
+++ www/73.html 2023/04/03 00:16:00 1.14
@@ -794,19 +794,148 @@
-
OpenSSH 9.3.
+OpenSSH 9.3 and OpenSSH 9.2
+This release of OpenBSD includes the changes made to OpenSSH since release 9.1:
- Security
+
- ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
+ per-hop destination constraints (ssh-add -h ...) added in OpenSSH
+ 8.9, a logic error prevented the constraints from being
+ communicated to the agent. This resulted in the keys being added
+ without constraints. The common cases of non-smartcard keys and
+ keys without destination constraints are unaffected. This problem
+ was reported by Luci Stanescu.
+
- ssh(1): Portable OpenSSH provides an implementation of the
+ getrrsetbyname(3) function if the standard library does not
+ provide it, for use by the VerifyHostKeyDNS feature. A
+ specifically crafted DNS response could cause this function to
+ perform an out-of-bounds read of adjacent stack data, but this
+ condition does not appear to be exploitable beyond denial-of-
+ service to the ssh(1) client.
+ The getrrsetbyname(3) replacement is only included if the system's
+ standard library lacks this function and portable OpenSSH was not
+ compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
+ only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
+ problem was found by the Coverity static analyzer.
+ - sshd(8): fix a pre-authentication double-free memory fault
+ introduced in OpenSSH 9.1. This is not believed to be exploitable,
+ and it occurs in the unprivileged pre-auth process that is
+ subject to chroot(2) and is further sandboxed on most major
+ platforms.
+
- ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen option
+ would ignore its first argument unless it was one of the special
+ keywords "any" or "none", causing the permission list to fail open
+ if only one permission was specified. bz3515
+
- ssh(1): if the CanonicalizeHostname and CanonicalizePermittedCNAMEs
+ options were enabled, and the system/libc resolver did not check
+ that names in DNS responses were valid, then use of these options
+ could allow an attacker with control of DNS to include invalid
+ characters (possibly including wildcards) in names added to
+ known_hosts files when they were updated. These names would still
+ have to match the CanonicalizePermittedCNAMEs allow-list, so
+ practical exploitation appears unlikely.
+
Potentially-incompatible changes
-
+
+ - ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
+ controls whether the client-side ~C escape sequence that provides a
+ command-line is available. Among other things, the ~C command-line
+ could be used to add additional port-forwards at runtime.
+ This option defaults to "no", disabling the ~C command-line that
+ was previously enabled by default. Turning off the command-line
+ allows platforms that support sandboxing of the ssh(1) client
+ (currently only OpenBSD) to use a stricter default sandbox policy.
+
+ New features
+
+ - ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
+ outputting SSHFP fingerprints to allow algorithm selection. bz3493
+
- sshd(8): add a `sshd -G` option that parses and prints the
+ effective configuration without attempting to load private keys
+ and perform other checks. This allows usage of the option before
+ keys have been generated and for configuration evaluation and
+ verification by unprivileged users.
+
- sshd(8): add support for channel inactivity timeouts via a new
+ sshd_config(5) ChannelTimeout directive. This allows channels that
+ have not seen traffic in a configurable interval to be
+ automatically closed. Different timeouts may be applied to session,
+ X11, agent and TCP forwarding channels.
+
- sshd(8): add a sshd_config UnusedConnectionTimeout option to
+ terminate client connections that have no open channels for a
+ length of time. This complements the ChannelTimeout option above.
+
- sshd(8): add a -V (version) option to sshd like the ssh client has.
+
- ssh(1): add a "Host" line to the output of ssh -G showing the
+ original hostname argument. bz3343
+
- scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
+ allow control over some SFTP protocol parameters: the copy buffer
+ length and the number of in-flight requests, both of which are used
+ during upload/download. Previously these could be controlled in
+ sftp(1) only. This makes them available in both SFTP protocol
+ clients using the same option character sequence.
+
- ssh-keyscan(1): allow scanning of complete CIDR address ranges,
+ e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then
+ it will be expanded to all possible addresses in the range
+ including the all-0s and all-1s addresses. bz#976
+
- ssh(1): support dynamic remote port forwarding in escape
+ command-line's -R processing. bz#3499
+
Bugfixes
-
- - ...
+
+ - scp(1), sftp(1): fix progressmeter corruption on wide displays;
+ bz3534
+
- ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
+ of private keys as some systems are starting to disable RSA/SHA1
+ in libcrypto.
+
- sftp-server(8): fix a memory leak. GHPR363
+
- ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
+ compatibility code and simplify what's left.
+
- Fix a number of low-impact Coverity static analysis findings.
+ These include several reported via bz2687
+
- ssh_config(5), sshd_config(5): mention that some options are not
+ first-match-wins.
+
- Rework logging for the regression tests. Regression tests will now
+ capture separate logs for each ssh and sshd invocation in a test.
+
- ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
+ says it should; bz3532.
+
- ssh(1): ensure that there is a terminating newline when adding a
+ new entry to known_hosts; bz3529
+
- ssh(1): when restoring non-blocking mode to stdio fds, restore
+ exactly the flags that ssh started with and don't just clobber them
+ with zero, as this could also remove the append flag from the set.
+ bz3523
+
- ssh(1): avoid printf("%s", NULL) if using UserKnownHostsFile=none
+ and a hostkey in one of the system known hosts file changes.
+
- scp(1): switch scp from using pipes to a socket-pair for
+ communication with its ssh sub-processes, matching how sftp(1)
+ operates.
+
- sshd(8): clear signal mask early in main(); sshd may have been
+ started with one or more signals masked (sigprocmask(2) is not
+ cleared on fork/exec) and this could interfere with various things,
+ e.g. the login grace timer. Execution environments that fail to
+ clear the signal mask before running sshd are clearly broken, but
+ apparently they do exist.
+
- ssh(1): warn if no host keys for hostbased auth can be loaded.
+
- sshd(8): Add server debugging for hostbased auth that is queued and
+ sent to the client after successful authentication, but also logged
+ to assist in diagnosis of HostbasedAuthentication problems. bz3507
+
- ssh(1): document use of the IdentityFile option as being usable to
+ list public keys as well as private keys. GHPR352
+
- sshd(8): check for and disallow MaxStartups values less than or
+ equal to zero during config parsing, rather than failing later at
+ runtime. bz3489
+
- ssh-keygen(1): fix parsing of hex cert expiry times specified on
+ the command-line when acting as a CA.
+
- scp(1): when scp(1) is using the SFTP protocol for transport (the
+ default), better match scp/rcp's handling of globs that don't match
+ the globbed characters but do match literally (e.g. trying to
+ transfer a file named "foo.[1]"). Previously scp(1) in SFTP mode
+ would not match these pathnames but legacy scp/rcp mode would.
+ bz3488
+
- ssh-agent(1): document the "-O no-restrict-websafe" command-line
+ option.
+
- ssh(1): honour user's umask(2) if it is more restrictive then the
+ ssh default (022).