From patchwork Fri Mar 5 17:41:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 3925 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4DsZmH4HKJz3wwh for ; Fri, 5 Mar 2021 17:41:35 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4DsZmG34NHz5NY; Fri, 5 Mar 2021 17:41:34 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4DsZmG1rP1z2xYh; Fri, 5 Mar 2021 17:41:34 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4DsZmD0q3jz2xMX for ; Fri, 5 Mar 2021 17:41:32 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4DsZmC3tt2z5NP; Fri, 5 Mar 2021 17:41:31 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1614966091; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=tGWclfG2Sub63IXBIb2Cijwi0Xzng0VtTNzXIJNIn9A=; b=cAEKTBOEufyt7aVLFp+giFoj/jNSVmAzhvawgxaCQKT1uZqCZUIKTZ4TuYJ2mjesz+LUFJ scC06OTsqLjqjCBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1614966091; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=tGWclfG2Sub63IXBIb2Cijwi0Xzng0VtTNzXIJNIn9A=; b=AWpW7EPGSU8gaQ/6N6bANNASpwZSSFBiUM32ku2UzMMUaBBQeTDGHZhoKx46TkfcKmlpe/ WU9ITdbz9OIBMa8xaP/UIdq9hfgCfD7Cci5u5OCMeB0ltSJxrp4HWD9x27QTH3wTnPe1dj onWndJApJ5GCX+Q2wLFdohOJ1XL99ml3x8yOR2obryMWhHWKdTIAjAInUMN096Y5IRq2nZ MYmaGXSwMuuHh5wQQCwnixUierEEJjb/TasDlupknZq+8Fq69D12X7TbIsL7LOTQ8T2q8i YUM2GILv5km8RsHKv2oynGbYD5/JWICJ0U49g8xsSL+mVQcqugujCLOubD1hLw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] openssh: Update to 8.5p1 Date: Fri, 5 Mar 2021 18:41:28 +0100 Message-Id: <20210305174128.3654506-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Update Openssh from 8.4p1 to 8.5p1 - rootfiles not changed - ssh access by keys tested with 8.5p1 and successfully worked - Full Release notes can be read at https://www.openssh.com/releasenotes.html - Future deprecation notice It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. - Checked if the weak ssh-rsa public key algorithm was being used with openssh8.4p1 by running ssh -oHostKeyAlgorithms=-ssh-rsa user@host host verification was successful with no issue so IPFire will not be affected by this deprecation when it happens - Potentially-incompatible changes * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. This did not affect my use of ssh login but I use ED25519 as the only key algorithm that I use. It might be good to get it tested by someone who has ECDSA and ED25519 keys and prefers ECDSA Remaining changes don't look likely to affect IPFire users - Bugfixes * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Signed-off-by: Adolf Belka Reviewed-by: Peter Müller --- lfs/openssh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/openssh b/lfs/openssh index 5143f4154..2a07d9e65 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -24,7 +24,7 @@ include Config -VER = 8.4p1 +VER = 8.5p1 THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 8f897870404c088e4aa7d1c1c58b526b +$(DL_FILE)_MD5 = 9eb9420cf587edc26f8998ab679ad390 install : $(TARGET)