This is the mail archive of the cygwin-announce mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Updated: OpenSSH-4.2p1-1


I've just updated the version of OpenSSH to 4.2p1-1.

This is an official new upstream release.

The official release message:

====================================================================
OpenSSH 4.2 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued
support of the project, especially those who contributed source,
reported bugs, tested snapshots and purchased T-shirts or posters.

T-shirt, poster and CD sales directly support the project. Pictures
and more information can be found at:
        http://www.openbsd.org/tshirts.html and
        http://www.openbsd.org/orders.html

For international orders use http://https.openbsd.org/cgi-bin/order
and for European orders, use http://https.openbsd.org/cgi-bin/order.eu

Changes since OpenSSH 4.1:
============================

  - SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused
    GatewayPorts to be incorrectly activated for dynamic ("-D") port
    forwardings when no listen address was explicitly specified.

  - SECURITY: sshd in OpenSSH versions prior to 4.2 allow GSSAPI
    credentials to be delegated to users who log in with methods
    other than GSSAPI authentication (e.g. public key) when the
    client requests it. This behaviour has been changed in OpenSSH
    4.2 to only delegate credentials to users who authenticate
    using the GSSAPI method. This eliminates the risk of credentials
    being inadvertently exposed to an untrusted user/host (though
    users should not activate GSSAPIDelegateCredentials to begin
    with when the remote user or host is untrusted)

  - Added a new compression method that delays the start of zlib
    compression until the user has been authenticated successfully.
    The new method ("Compression delayed") is on by default in the
    server. This eliminates the risk of any zlib vulnerability
    leading to a compromise of the server from unauthenticated users.

    NB. Older OpenSSH (<3.5) versions have a bug that will cause them
    to refuse to connect to any server that does not offer compression
    when the client has compression requested. Since the new "delayed"
    server mode isn't supported by these older clients, they will
    refuse to connect to a new server unless compression is disabled
    (on the client end) or the original compression method is enabled
    on the server ("Compression yes" in sshd_config)

  - Another round of proactive changes for signed vs unsigned integer
    bugs has been completed, including changing the atomicio() API to
    encourage safer programming. This work is ongoing.

  - Added support for the improved arcfour cipher modes from
    draft-harris-ssh-arcfour-fixes-02. The improves the cipher's
    resistance to a number of attacks by discarding early keystream
    output.

  - Increase the default size of new RSA/DSA keys generated by
    ssh-keygen from 1024 to 2048 bits.

  - Many bugfixes and improvements to connection multiplexing,
    including:

    - Added ControlMaster=auto/autoask options to support opportunistic
      multiplexing (see the ssh_config(5) manpage for details).

    - The client will now gracefully fallback to starting a new TCP
      connection if it cannot connect to a specified multiplexing
      control socket

    - Added %h (target hostname), %p (target port) and %r (remote
      username) expansion sequences to ControlPath. Also allow
      ControlPath=none to disable connection multiplexing.

    - Implemented support for X11 and agent forwarding over multiplexed
      connections. Because of protocol limitations, the slave
      connections inherit the master's DISPLAY and SSH_AUTH_SOCK rather
      than distinctly forwarding their own.

  - Portable OpenSSH: Added support for long passwords (> 8-char) on
    UnixWare 7.

  - The following bugs from http://bugzilla.mindrot.org/ were closed:

     #471  - Misleading error message if /dev/tty perms wrong
     #623  - Don't use $HOME in manpages
     #829  - Don't allocate a tty if -n option is set
     #1025 - Correctly handle disabled special character in ttymodes
     #1033 - Fix compile-time warnings
     #1046 - AIX 5.3 Garbage on Login
     #1054 - Don't terminate connection on getpeername() failure
     #1076 - GSSAPIDelegateCredentials issue mentioned above

  - Lots of other improvements and fixes. Please refer to the ChangeLog
    for details

Thanks to everyone who has contributed patches, problem or test reports.

Checksums:
==========

- SHA1 (openssh-4.2.tar.gz) = d2bd777986a30e446268ceeb24cddbf2edf51b21
- SHA1 (openssh-4.2p1.tar.gz) = 5e7231cfa8ec673ea856ce291b78fac8b380eb78

Reporting Bugs:
===============

- please read http://www.openssh.com/report.html
  and http://bugzilla.mindrot.org/

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.
====================================================================

To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.

              *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=3D3Dyourdomain.com@cygwin.com

If you need more information on unsubscribing, start reading here:

http://sources.redhat.com/lists.html#unsubscribe-simple

Please read *all* of the information on unsubscribing that is available
starting at this URL.

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]