| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org 0B80E3857430 |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; |
| s=default; t=1651055898; | |
| bh=EuFeO6NqEk+ZCNpGtMwNaHZXx+wzl83XmWGEH4PzGtg=; | |
| h=To:Date:Subject:From:List-Id:List-Unsubscribe:List-Archive: | |
| List-Post:List-Help:List-Subscribe:Reply-To:From; | |
| b=icH8A7Dz7r1Xp9snY4uSTo1UCmbZFKsiHV3h0GP93t3YKsil7k31JpH9XTFYilRej | |
| rkTIzIY7wlRg/wq7wHc7N6VHTlgNtYXLZwP29XgZkcNs+DZpJISWhX4vzAyEL6N8KC | |
| 33QuARG4DNxax9YYsDxMlZvLBE5JU4uMlTfWQ0kY= | |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org 6910B3857830 |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; |
| s=default; t=1651055761; | |
| bh=iHGMv37G7kHA6v4skzbNJvzib/6qypSEK4dXXL9OAM0=; | |
| h=To:Date:Subject:From:Reply-To:From; | |
| b=ZQ1MlTWRH0xfUqOWLYPOWg+W2LSe62q2la+RfvtfKxtIKN0vZ9186te8NYFpyyBqX | |
| ulSEizr42hAfAks91gTLBeC/OZjsJsyBCp1e00iMyy5K40f8q6iG+q2eWLF7XaDBEP | |
| CrxbEWDsjA1+JI1rNAEDjypcUyoiLm7Yv+KcUplM= | |
| DKIM-Filter: | OpenDKIM Filter v2.11.0 sourceware.org 30BCB385803D |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; |
| s=default; t=1651055761; | |
| bh=iHGMv37G7kHA6v4skzbNJvzib/6qypSEK4dXXL9OAM0=; | |
| h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Help: | |
| List-Subscribe:From:Reply-To:From; | |
| b=QerujOyR4qoSdSWGQyCNSoZw/Iq6GQbQ2pwtg7Db4M3Arhz4LEo3nIodYJWXu/Qvk | |
| lfYF1LVqcHYut/UtVxoG9ZkNQzoHltUEeLSbCQyGWwUWZJomtPkl8sHhS1e9+2JylO | |
| Q5S9Wr4FYQ3yHA/5otUjGAAgJG9pzbcKdhUNqEY8= | |
| DMARC-Filter: | OpenDMARC Filter v1.4.1 sourceware.org 84C713857C49 |
| X-Mailbox-Line: | From cygwin-announce-openssh-9.0p1-1 Wed Apr 27 12:23:37 2022 |
| To: | cygwin AT cygwin DOT com |
| Date: | Wed, 27 Apr 2022 12:23:37 +0200 |
| Message-Id: | <announce.20220427122337.1589156-1-corinna-cygwin@cygwin.com> |
| Subject: | [ANNOUNCEMENT] openssh 9.0p1-1 |
| X-Provags-ID: | V03:K1:OIZhsVvfmPe8YDDZ7/UFvFxgUaNT60JRU49+C5iS9taHPlEc2wp |
| N+QIhp/7aL8QnI+Cr4XEMjZDijeh7WiFVQRm771JdXe8q5CKW36/bofiHYYN0Np0uqVwM9L | |
| 7MZq0CKI3PJt+AQgeYSh9nGxggy7ZI8Xbz8ReZfTjXu5xuEs0QKEHcUyFGlSpAe5AN5TzMT | |
| IrrM6S6dTGLHUmGyOWqgw== | |
| X-UI-Out-Filterresults: | notjunk:1;V03:K0:uzgYknEtBMo=:WXOW2PB8H21s0xwvsZqJn9 |
| AyoklPho93DHGvRDswdgoTQY1jYJGovHLe4vPHLLO8ZFb66xDuU1nm9U57VQREbLgDRexAv10 | |
| ZowcB7lRAseD4EID93RP572NjJRLxCRefxg3XJMifqIdSX7lCTN1INKDGW36NEsihVdWp3RnB | |
| lnt8mxQQPKmwZRxP2NLx1uTCidpSf1DK/puPhhUmINs756f/Y1hGrW8Dq+n49fHejUubukE2T | |
| 8+rzbZqHx37Dt4PjwBfwLE4nNYNQyBoYfCPCyHmcr+TqE7USKdszWzLa32YWVaUg0h/GwEK1H | |
| w4dMzgQcidrKjgwPShk5Ky9iFUs88YsoTeJSFgcVO6wUyh4VfVfYlDRiNBK+R4Xn6xFegS833 | |
| RodYftCG+DYcN4pkSoqb3GkXDGVjDRx0CS1R0xEMWJRmWSvuIx/J6UuFznIb1UEf0p58EHj0Q | |
| 1WtzlUtJ1bxv458XEfzNYHDgXAzjLrHT8SUxKziey/5titFR89J1uZQW8hHsBGLsLkZvLLm1u | |
| pHfxPwaEngPtZ/SsUYt3Ys7wlfAk12aRM7UZMnIawoGNVnp+z9H0OoD375hxfVWL2JwWUGH3C | |
| jcSnDer0ov9oSNSArewdf+JSUx3gKOGgBZcmo7YMtY7i/XvurkDETPHuDUq8jtKFrxJr/vpNc | |
| WVcelvVsJip4HJdLkO3rTCsESvl8XNahOvZd68VP04SEaZB79U2U7XB5xPlK9OAPOddFY7wUn | |
| m4VFdHfSEMReuh3C | |
| X-Spam-Status: | No, score=-93.5 required=5.0 tests=BAYES_00, |
| GOOD_FROM_CORINNA_CYGWIN, KAM_ASCII_DIVIDERS, KAM_DMARC_NONE, KAM_DMARC_STATUS, | |
| KAM_NUMSUBJECT, RCVD_IN_DNSWL_NONE, SPF_FAIL, SPF_HELO_NONE, | |
| TO_EQ_FM_DOM_SPF_FAIL, TXREP autolearn=ham autolearn_force=no version=3.4.4 | |
| X-Spam-Checker-Version: | SpamAssassin 3.4.4 (2020-01-24) on |
| server2.sourceware.org | |
| X-BeenThere: | cygwin-announce AT cygwin DOT com |
| X-Mailman-Version: | 2.1.29 |
| From: | Corinna Vinschen via Cygwin-announce <cygwin-announce AT cygwin DOT com> |
| X-Mailer: | Perl5 Mail::Internet v2.20 |
| X-BeenThere: | cygwin AT cygwin DOT com |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| Reply-To: | cygwin AT cygwin DOT com |
| MIME-Version: | 1.0 |
| Sender: | "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com> |
The following packages have been uploaded to the Cygwin distribution:
* openssh-9.0p1-1
OpenSSH is a program for logging into a remote machine and for
executing commands on a remote machine. It can replace rlogin and rsh,
providing encrypted communication between two machines.
Cygwin release message:
========================================================================
WinHello support:
Apart from the following official upstream release message, this release
contains support for WinHello. That is, users of Windows 10 1909 or
later will now be able to uses FIDO2 tokens in conjunction with
WinHello. Create keys with one of
ssh-keygen -t ed25519-sk [-O verify-required]
ssh-keygen -t ecdsa-sk [-O verify-required]
Please note that keys created with `-O no-touch-required' won't work,
because WinHello doesn't support authenticating FIDO2 tokens without
checking user presence.
WinHello support is supposed to go upstream, but the changes didn't
make it into 9.0p1.
Official upstream release message:
========================================================================
OpenSSH 9.0 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html
Changes since OpenSSH 8.9
=========================
This release is focused on bug fixing.
Potentially-incompatible changes
--------------------------------
This release switches scp(1) from using the legacy scp/rcp protocol
to using the SFTP protocol by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path AT openssh DOT com" to support
this.
In case of incompatibility, the scp(1) client may be instructed to use
the legacy scp/rcp using the -O flag.
New features
------------
* ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
exchange method by default ("sntrup761x25519-sha512 AT openssh DOT com").
The NTRU algorithm is believed to resist attacks enabled by future
quantum computers and is paired with the X25519 ECDH key exchange
(the previous default) as a backstop against any weaknesses in
NTRU Prime that may be discovered in the future. The combination
ensures that the hybrid exchange offers at least as good security
as the status quo.
We are making this change now (i.e. ahead of cryptographically-
relevant quantum computers) to prevent "capture now, decrypt
later" attacks where an adversary who can record and store SSH
session ciphertext would be able to decrypt it once a sufficiently
advanced quantum computer is available.
* sftp-server(8): support the "copy-data" extension to allow server-
side copying of files/data, following the design in
draft-ietf-secsh-filexfer-extensions-00. bz2948
* sftp(1): add a "cp" command to allow the sftp client to perform
server-side file copies.
Bugfixes
--------
* ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's output
fd closes without data in the channel buffer. bz3405 and bz3411
* sshd(8): pack pollfd array in server listen/accept loop. Could
cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE
* ssh-keygen(1): avoid NULL deref via the find-principals and
check-novalidate operations. bz3409 and GHPR#307 respectively.
* scp(1): fix a memory leak in argument processing. bz3404
* sshd(8): don't try to resolve ListenAddress directives in the sshd
re-exec path. They are unused after re-exec and parsing errors
(possible for example if the host's network configuration changed)
could prevent connections from being accepted.
* sshd(8): when refusing a public key authentication request from a
client for using an unapproved or unsupported signature algorithm
include the algorithm name in the log message to make debugging
easier.
Portability
-----------
* sshd(8): refactor platform-specific locked account check, fixing
an incorrect free() on platforms with both libiaf and shadow
passwords (probably only Unixware) GHPR#284,
* ssh(1), sshd(8): Fix possible integer underflow in scan_scaled(3)
parsing of K/M/G/etc quantities. bz#3401.
* sshd(8): provide killpg implementation (mostly for Tandem NonStop)
GHPR#301.
* Check for missing ftruncate prototype. GHPR#301
* sshd(8): default to not using sandbox when cross compiling. On most
systems poll(2) does not work when the number of FDs is reduced
with setrlimit, so assume it doesn't when cross compiling and we
can't run the test. bz#3398.
* sshd(8): allow ppoll_time64 in seccomp sandbox. Should fix sandbox
violations on some (at least i386 and armhf) 32bit Linux platforms.
bz#3396.
* Improve detection of -fzero-call-used-regs=all support in
configure script.
Checksums:
==========
- SHA1 (openssh-9.0.tar.gz) = 05302aa4781e1a69db4261474ed940bd685afc24
- SHA256 (openssh-9.0.tar.gz) = 9I/FrLf5Gij/4NIPts9A8yWVi0ienyyMqjqn8s0hyLk=
- SHA1 (openssh-9.0p1.tar.gz) = 06dd658874dcd22d66311cf5999bd56c614de509
- SHA256 (openssh-9.0p1.tar.gz) = A5dDAhYenszjIVPPoQAS8eZcjzdQ9XOnOrG+/Vlyooo=
Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
Please note that the OpenPGP key used to sign releases has been
rotated for this release. The new key has been signed by the previous
key to provide continuity.
Reporting Bugs:
===============
- Please read https://www.openssh.com/report.html
Security bugs should be reported directly to openssh AT openssh DOT com
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |