2446674e73
- Update to openssh 9.6p1:
* No changes for askpass, see main package changelog for
details.
- Update to openssh 9.6p1:
= Security
* ssh(1), sshd(8): implement protocol extensions to thwart the
so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
limited break of the integrity of the early encrypted SSH transport
protocol by sending extra messages prior to the commencement of
encryption, and deleting an equal number of consecutive messages
immediately after encryption starts. A peer SSH client/server
would not be able to detect that messages were deleted.
* ssh-agent(1): when adding PKCS#11-hosted private keys while
specifying destination constraints, if the PKCS#11 token returned
multiple keys then only the first key had the constraints applied.
Use of regular private keys, FIDO tokens and unconstrained keys
are unaffected.
* ssh(1): if an invalid user or hostname that contained shell
metacharacters was passed to ssh(1), and a ProxyCommand,
LocalCommand directive or "match exec" predicate referenced the
user or hostname via %u, %h or similar expansion token, then
an attacker who could supply arbitrary user/hostnames to ssh(1)
could potentially perform command injection depending on what
quoting was present in the user-supplied ssh_config(5) directive.
= Potentially incompatible changes
* ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
a TCP-like window mechanism that limits the amount of data that
can be sent without acceptance from the peer. In cases where this (forwarded request 1150500 from hpjansson)
OBS-URL: https://build.opensuse.org/request/show/1150501
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=170
There are following changes in default settings of ssh client and server: * Accepting and sending of locale environment variables in protocol 2 is enabled. * PAM authentication is enabled and mostly even required, do not turn it off. * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot be considered safe any more. * Accepting all RFC4419 specified DH group parameters. See KexDHMin in ssh_config and sshd_config manual pages. For more information on differences in SUSE OpenSSH package see README.FIPS