More info for the impatient and paranoid ... ----- Forwarded message from Markus Friedl <[EMAIL PROTECTED]> ----- Delivered-To: [EMAIL PROTECTED] Date: Wed, 26 Sep 2001 23:05:19 +0200 From: Markus Friedl <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: OpenSSH 2.9.9 User-Agent: Mutt/1.2.5i Precedence: bulk X-Loop: [EMAIL PROTECTED] OpenSSH 2.9.9 has just been uploaded. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH 2.9.9 fixes a weakness in the key file option handling, including source IP based access control. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. This release contains many portability bug-fixes (listed in the ChangeLog) as well as several new features (listed below). We would like to thank the OpenSSH community for their continued support and encouragement. Security Notes: =============== This release fixes weakness in the source IP based access control for SSH protocol v2 public key authentication: Versions of OpenSSH between 2.5 and 2.9.9 are affected if they use the 'from=' key file option in combination with both RSA and DSA keys in ~/.ssh/authorized_keys2. Depending on the order of the user keys in ~/.ssh/authorized_keys2 sshd might fail to apply the source IP based access control restriction (e.g. from="10.0.0.1") to the correct key: If a source IP restricted key (e.g. DSA key) is immediately followed by a key of a different type (e.g. RSA key), then key options for the second key are applied to both keys, which includes 'from='. This means that users can circumvent the system policy and login from disallowed source IP addresses. Important Changes: ================== OpenSSH 2.9.9 might have upgrade issues introduced by the long time between releases, which may affect people in unforseen ways: 1) The files /etc/ssh_known_hosts2 ~/.ssh/known_hosts2 ~/.ssh/authorized_keys2 are now obsolete, you can use /etc/ssh_known_hosts ~/.ssh/known_hosts ~/.ssh/authorized_keys For backward compatibility ~/.ssh/authorized_keys2 is still used for authentication and hostkeys are still read from the known_hosts2. However, old files are considered 'readonly'. Future releases are likely to not read these files. 2) The CheckMail option in sshd_config is deprecated, sshd no longer checks for new mail. 3) X11 cookies are stored in $HOME OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom. ----- End forwarded message ----- -- <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
