Message ID | 20210927153359.1500601-1-adolf.belka@ipfire.org |
---|---|
State | Accepted |
Commit | f877c07e4d87c09aadc258307db51eba28ffdc1a |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HJ6B76W5Pz3x1J for <patchwork@web04.haj.ipfire.org>; Mon, 27 Sep 2021 15:34:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HJ6B74Xfwz13M; Mon, 27 Sep 2021 15:34:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HJ6B73Pwfz2yNY; Mon, 27 Sep 2021 15:34:07 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HJ6B64bMpz2x9g for <development@lists.ipfire.org>; Mon, 27 Sep 2021 15:34:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HJ6B60J6lzNh; Mon, 27 Sep 2021 15:34:06 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1632756846; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=/LEGEz9hpXwoJDhDM5mBT+D6rWi7W684ugHyVFOHMX4=; b=/QzTZVRXvu+Dmc9qit+Q9A8LJuL4O73VOvpCNAK309IV6YTTNG0LB+So7FjrTpYJacI6g9 Xk/zCMUsCyBWmzCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1632756846; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=/LEGEz9hpXwoJDhDM5mBT+D6rWi7W684ugHyVFOHMX4=; b=d4e0EnOWsvGFNfi/dO/U5R35XA/sBRbshwr+5bYAe0pz9HwRAl+dhqIZYBYVrC/X9N5vKU uqlMC7G1mfNhFjumC8LcqkCgfEvZvB57HCG4DjPeX6z8C1LTppsXfSTnG3QP4eU54s9wrY IAPAydvgQ2w2xDgXuyRfyYTzmROMx4xBfA4Co9HrWhS4CN4OWybfw0Qk+ahIE7ps80vm4a aeGHcnbpNZFO41y9hduyLN0Q3D5Sf34MTXIN96Bxmozp8Ef97MVwE3fzZnUYZaE2Ho4w+5 3zY2BGyixirsxyT0eCdpfMYKcd2InngiRPUHOUv54xQPJjleH1GBLQ/dBz0oZQ== From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] openssh: Update to version 8.8p1 Date: Mon, 27 Sep 2021 17:33:59 +0200 Message-Id: <20210927153359.1500601-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
openssh: Update to version 8.8p1
|
|
Commit Message
Adolf Belka
Sept. 27, 2021, 3:33 p.m. UTC
- Update from 8.7p1 to 8.8p1
- Update of rootfile not required
- Changelog
OpenSSH 8.8p1
Future deprecation notice
A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug- compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path@openssh.com" to support
this.
Security
sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
supplemental groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the
command as a different user. Instead these commands would inherit
the groups that sshd(8) was started with.
Depending on system configuration, inherited groups may allow
AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
gain unintended privilege.
Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
enabled by default in sshd_config(5).
Potentially-incompatible changes
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.
Changes since OpenSSH 8.7p1
This release is motivated primarily by the above deprecation and
security fix.
New features
* ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs
directive to accept a "none" argument to specify the default
behaviour.
Bugfixes
* scp(1): when using the SFTP protocol, continue transferring files
after a transfer error occurs, better matching original scp/rcp
behaviour.
* ssh(1): fixed a number of memory leaks in multiplexing,
* ssh-keygen(1): avoid crash when using the -Y find-principals
command.
* A number of documentation and manual improvements, including
bz#3340, PR139, PR215, PR241, PR257
Portability
* ssh-agent(1): on FreeBSD, use procctl to disable ptrace(2)
* ssh(1)/sshd(8): some fixes to the pselect(2) replacement
compatibility code. bz#3345
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
lfs/openssh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lfs/openssh b/lfs/openssh index ec8ac1e55..1aea6cba9 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -24,7 +24,7 @@ include Config -VER = 8.7p1 +VER = 8.8p1 THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = f545230799f131aecca04da56e61990a +$(DL_FILE)_MD5 = 8ce5f390958baeeab635aafd0ef41453 install : $(TARGET)