Releases | Page 8 | itefix.net

Copssh server 7.8.1

release date:

2021-10-26

Changelog

LibreSSL 3.4.1

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.1-relnotes.txt

We have released LibreSSL 3.4.1, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. This is the
first stable release for the 3.4.x branch, also available with OpenBSD 7.0.

It includes the following changes from LibreSSL 3.3.x

  * New Features
    - Added support for OpenSSL 1.1.1 TLSv1.3 APIs.
    - Enabled the new X.509 validator to allow verification of
      modern certificate chains.
  * Portable Improvements
    - Added Universal Windows Platform (UWP) build support.
    - Fixed mingw-w64 builds on newer versions with missing SSP support.
  * API and Documentation Enhancements
    - Added the following APIs from OpenSSL
      BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve
      EC_GROUP_order_bits EC_GROUP_set_curve
      EC_POINT_get_affine_coordinates
      EC_POINT_set_affine_coordinates
      EC_POINT_set_compressed_coordinates EVP_DigestSign
      EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey
      SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method
      SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data
      SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher
      SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable
      SSL_SESSION_set_max_early_data SSL_get_early_data_status
      SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio
      SSL_set_ciphersuites SSL_set_max_early_data
      SSL_set_post_handshake_auth
      SSL_set_psk_use_session_callback
      SSL_verify_client_post_handshake SSL_write_early_data
    - Added AES-GCM constants from RFC 7714 for SRTP.
  * Compatibility Changes
    - Implement flushing for TLSv1.3 handshakes behavior, needed for Apache.
    - Call the info callback on connect/accept exit in TLSv1.3,
      needed for p5-Net-SSLeay.
    - Default to using named curve parameter encoding from
      pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE.
    - Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback.
  * Testing and Proactive Security
    - Added additional state machine test coverage.
    - Improved integration test support with ruby/openssl tests.
    - Error codes and callback support in new X.509 validator made
      compatible with p5-Net_SSLeay tests.
  * Internal Improvements
    - Numerous fixes and improvements to the new X.509 validator to
      ensure compatible error codes and callback support compatible
      with the legacy OpenSSL validator.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.

component name	component version	component license	component source
OpenSSH	8.8p	OpenSSH license
LibreSSL	3.4.1	LibreSSL license
Cygwin	3.2.0	Cygwin license (GPL/LGPL)	Source code for Cygwin
Copssh Control Panel	4.0.1	Itefix EULA
Copssh server	7.8.1	Itefix EULA

2021

Copssh server 7.8.0

release date:

2021-09-27

Changelog

OpenSSH 8.8p (Security)

Security
========

sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
supplemental groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the
command as a different user. Instead these commands would inherit
the groups that sshd(8) was started with.

Depending on system configuration, inherited groups may allow
AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
gain unintended privilege.

Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
enabled by default in sshd_config(5).

Potentially-incompatible changes
================================

This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K 

For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.

Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:

    Host old-host
        HostkeyAlgorithms +ssh-rsa
	PubkeyAcceptedAlgorithms +ssh-rsa

We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).

 "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

component name	component version	component license	component source
OpenSSH	8.8p	OpenSSH license
LibreSSL	3.3.3	LibreSSL license
Cygwin	3.2.0	Cygwin license (GPL/LGPL)	Source code for Cygwin
Copssh Control Panel	4.0.1	Itefix EULA
Copssh server	7.8.0	Itefix EULA

2021

Copssh server 7.7.0

release date:

2021-08-24

Changelog

OpenSSH 8.7p

component name	component version	component license	component source
OpenSSH	8.7p	OpenSSH license
LibreSSL	3.3.3	LibreSSL license
Cygwin	3.2.0	Cygwin license (GPL/LGPL)	Source code for Cygwin
Copssh Control Panel	4.0.1	Itefix EULA
Copssh server	7.7.0	Itefix EULA

2021

Copssh server 7.6.0

release date:

2021-05-04

Changelog

OpenSSH 8.6p
LibreSSL 3.3.3
Cygwin 3.2.0

component name	component version	component license	component source
OpenSSH	8.6p	OpenSSH license
LibreSSL	3.3.3	LibreSSL license
Cygwin	3.2.0	Cygwin license (GPL/LGPL)	Source code for Cygwin
Copssh Control Panel	4.0.1	Itefix EULA
Copssh server	7.6.0	Itefix EULA

2021

Copssh server 7.5.0

release date:

2021-03-07

Changelog

OpenSSH 8.5p
LibreSSL 3.2.4

component name	component version	component license	component source
OpenSSH	8.5p	OpenSSH license
LibreSSL	3.2.4	LibreSSL license
Cygwin	3.1.7	Cygwin license (GPL/LGPL)	Source code for Cygwin
Copssh Control Panel	4.0.1	Itefix EULA
Copssh server	7.5.0	Itefix EULA

2021

Copssh server 7.8.1

release date:

Copssh server 7.8.0

release date:

Copssh server 7.7.0

release date:

Copssh server 7.6.0

release date:

Copssh server 7.5.0

release date:

Pages