Date: Wed, 26 Sep 2001 15:25:09 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: freebsd-security@freebsd.org Subject: OpenSSH 2.9.9 (fwd) Message-ID: <200109262226.f8QMQ6133331@cwsys.cwsent.com>
next in thread | raw e-mail | index | archive | help
A new OpenSSH has been released. I will forward the advisory in a separate note. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC ------- Forwarded Message [headers removed] Date: Wed, 26 Sep 2001 23:05:19 +0200 From: Markus Friedl <markus@openbsd.org> To: announce@openbsd.org Subject: OpenSSH 2.9.9 Message-ID: <20010926230519.A4478@folly> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-announce@openbsd.org Precedence: bulk X-Loop: announce@openbsd.org OpenSSH 2.9.9 has just been uploaded. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH 2.9.9 fixes a weakness in the key file option handling, including source IP based access control. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. This release contains many portability bug-fixes (listed in the ChangeLog) as well as several new features (listed below). We would like to thank the OpenSSH community for their continued support and encouragement. Security Notes: =============== This release fixes weakness in the source IP based access control for SSH protocol v2 public key authentication: Versions of OpenSSH between 2.5 and 2.9.9 are affected if they use the 'from=' key file option in combination with both RSA and DSA keys in ~/.ssh/authorized_keys2. Depending on the order of the user keys in ~/.ssh/authorized_keys2 sshd might fail to apply the source IP based access control restriction (e.g. from="10.0.0.1") to the correct key: If a source IP restricted key (e.g. DSA key) is immediately followed by a key of a different type (e.g. RSA key), then key options for the second key are applied to both keys, which includes 'from='. This means that users can circumvent the system policy and login from disallowed source IP addresses. Important Changes: ================== OpenSSH 2.9.9 might have upgrade issues introduced by the long time between releases, which may affect people in unforseen ways: 1) The files /etc/ssh_known_hosts2 ~/.ssh/known_hosts2 ~/.ssh/authorized_keys2 are now obsolete, you can use /etc/ssh_known_hosts ~/.ssh/known_hosts ~/.ssh/authorized_keys For backward compatibility ~/.ssh/authorized_keys2 is still used for authentication and hostkeys are still read from the known_hosts2. However, old files are considered 'readonly'. Future releases are likely to not read these files. 2) The CheckMail option in sshd_config is deprecated, sshd no longer checks for new mail. 3) X11 cookies are stored in $HOME OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom. ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109262226.f8QMQ6133331>