delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin-announce/2001/09/28/04:02:58

Mailing-List: contact cygwin-announce-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-announce-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-announce/>
List-Post: <mailto:cygwin-announce AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-announce-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-announce-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin-announce AT sources DOT redhat DOT com
Delivered-To: moderator for cygwin-announce AT sources DOT redhat DOT com
Date: Fri, 28 Sep 2001 09:58:38 +0200
From: Corinna Vinschen <vinschen AT redhat DOT com>
To: cygann <cygwin-announce AT cygwin DOT com>
Subject: Updated: OpenSSH-2.9.9p2-1
Message-ID: <20010928095838.A23062@cygbert.vinschen.de>
Reply-To: cygwin <cygwin AT cygwin DOT com>
Mime-Version: 1.0
User-Agent: Mutt/1.2.5i 

I've updated the version of OpenSSH in cygwin/latest to 2.9.9p2-1.

Official release notes:
===================================================================
OpenSSH 2.9.9 fixes a weakness in the key file option handling,
including source IP based access control.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

This release contains many portability bug-fixes (listed in the
ChangeLog) as well as several new features (listed below).

We would like to thank the OpenSSH community for their continued
support and encouragement.

Security Notes:
===============

This release fixes weakness in the source IP based access control
for SSH protocol v2 public key authentication:

        Versions of OpenSSH between 2.5 and 2.9.9 are
        affected if they use the 'from=' key file option in
        combination with both RSA and DSA keys in
        ~/.ssh/authorized_keys2.

        Depending on the order of the user keys in
        ~/.ssh/authorized_keys2 sshd might fail to apply the
        source IP based access control restriction (e.g.
        from="10.0.0.1") to the correct key:

        If a source IP restricted key (e.g. DSA key) is
        immediately followed by a key of a different type
        (e.g. RSA key), then key options for the second key
        are applied to both keys, which includes 'from='.  

        This means that users can circumvent the system policy
        and login from disallowed source IP addresses.

Important Changes:
==================

OpenSSH 2.9.9 might have upgrade issues introduced by the long time
between releases, which may affect people in unforseen ways:

1) The files
        /etc/ssh_known_hosts2
        ~/.ssh/known_hosts2
        ~/.ssh/authorized_keys2
   are now obsolete, you can use
        /etc/ssh_known_hosts
        ~/.ssh/known_hosts
        ~/.ssh/authorized_keys
   For backward compatibility ~/.ssh/authorized_keys2 is still used for
   authentication and hostkeys are still read from the known_hosts2.   
   However, old files are considered 'readonly'.  Future releases are  
   likely to not read these files.

2) The CheckMail option in sshd_config is deprecated, sshd no longer
   checks for new mail.

3) X11 cookies are stored in $HOME

===================================================================

===================================================================
Notes for people building their own version of OpenSSH:

1) When creating your own configure file, please note that OpenSSH
   requires an autoconf version >= 2.50 now.

2) When installing, you'll need the `uudecode' tool which is
   part of the `sharutils' package.  That package is currently
   not part of the Cygwin net distro but will be as soon as
   the "next generation" setup tool has been released.

   For the interim I have uploaded sharutils-4.2.1 binary and source
   tar.bz2 archives to ftp://ftp.franken.de/pub/win32/develop/gnuwin32/cygwin/porters/Vinschen_Corinna/1.3.3/
===================================================================

To update your installation, click on the "Install Cygwin now" link on
the http://sources.redhat.com/cygwin web page.  This downloads setup.exe
to your system.

Run setup and answer all of the questions.  The mirrors below have the
latest version of this package:

ftp://mirrors.rcn.net/mirrors/sources.redhat.com/cygwin/ (US)
ftp://ftp.mirror.ac.uk/sites/sourceware.cygnus.com/pub/cygwin/ (UK)
ftp://ftp.uni-erlangen.de/pub/pc/gnuwin32/cygwin/mirrors/cygnus/ (Germany)

Note that if this is the first time that you've run the new GUI version
of setup, it will currently download the whole cygwin net release again.
After this point it will only download what is needed.

If you have questions or comments, please send them to the Cygwin
mailing list at:  cygwin AT sources DOT redhat DOT com .  I would appreciate
if you would use this mailing list rather than emailing me directly.
This includes ideas and comments about the setup utility or Cygwin
in general.

If you want to make a point or ask a question the Cygwin mailing list is
the appropriate place.

              *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe to the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=yourdomain DOT com AT cygwin DOT com

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019