Changelog
LibreSSL 3.9.2
Cygwin 3.5.3
Cygwin 3.4.10 was the LAST major version supporting
- Windows 7 / 8
- Windows Server 2008 R2 / 2012
- Cygwin 3.5.x runs on
- Windows 8.1 / 10 / 11
- Windows Server 2012 R2 / 2016 / 2019 / 2022
- and (hopefully) all upcoming releases of Windows.
component name component version component license component source
Changelog
component name component version component license component source
Changelog
OpenSSH 9.6p1
Cygwin 3.4.10
component name component version component license component source
Changelog
From OpenSSH team:
OpenSSH 9.6 was released on 2023-12-18. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html
Changes since OpenSSH 9.5
=========================
This release contains a number of security fixes, some small features
and bugfixes.
Security
========
This release contains fixes for a newly-discovered weakness in the
SSH transport protocol, a logic error relating to constrained PKCS#11
keys in ssh-agent(1) and countermeasures for programs that invoke
ssh(1) with user or hostnames containing invalid characters.
* ssh(1), sshd(8): implement protocol extensions to thwart the
so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
limited break of the integrity of the early encrypted SSH transport
protocol by sending extra messages prior to the commencement of
encryption, and deleting an equal number of consecutive messages
immediately after encryption starts. A peer SSH client/server
would not be able to detect that messages were deleted.
While cryptographically novel, the security impact of this attack
is fortunately very limited as it only allows deletion of
consecutive messages, and deleting most messages at this stage of
the protocol prevents user user authentication from proceeding and
results in a stuck connection.
The most serious identified impact is that it lets a MITM to
delete the SSH2_MSG_EXT_INFO message sent before authentication
starts, allowing the attacker to disable a subset of the keystroke
timing obfuscation features introduced in OpenSSH 9.5. There is no
other discernable impact to session secrecy or session integrity.
OpenSSH 9.6 addresses this protocol weakness through a new "strict
KEX" protocol extension that will be automatically enabled when
both the client and server support it. This extension makes
two changes to the SSH transport protocol to improve the integrity
of the initial key exchange.
Firstly, it requires endpoints to terminate the connection if any
unnecessary or unexpected message is received during key exchange
(including messages that were previously legal but not strictly
required like SSH2_MSG_DEBUG). This removes most malleability from
the early protocol.
Secondly, it resets the Message Authentication Code counter at the
conclusion of each key exchange, preventing previously inserted
messages from being able to make persistent changes to the
sequence number across completion of a key exchange. Either of
these changes should be sufficient to thwart the Terrapin Attack.
More details of these changes are in the PROTOCOL file in the
OpenSSH source distribition.
* ssh-agent(1): when adding PKCS#11-hosted private keys while
specifying destination constraints, if the PKCS#11 token returned
multiple keys then only the first key had the constraints applied.
Use of regular private keys, FIDO tokens and unconstrained keys
are unaffected.
* ssh(1): if an invalid user or hostname that contained shell
metacharacters was passed to ssh(1), and a ProxyCommand,
LocalCommand directive or "match exec" predicate referenced the
user or hostname via %u, %h or similar expansion token, then
an attacker who could supply arbitrary user/hostnames to ssh(1)
could potentially perform command injection depending on what
quoting was present in the user-supplied ssh_config(5) directive.
This situation could arise in the case of git submodules, where
a repository could contain a submodule with shell characters in
its user/hostname. Git does not ban shell metacharacters in user
or host names when checking out repositories from untrusted
sources.
Although we believe it is the user's responsibility to ensure
validity of arguments passed to ssh(1), especially across a
security boundary such as the git example above, OpenSSH 9.6 now
bans most shell metacharacters from user and hostnames supplied
via the command-line. This countermeasure is not guaranteed to be
effective in all situations, as it is infeasible for ssh(1) to
universally filter shell metacharacters potentially relevant to
user-supplied commands.
User/hostnames provided via ssh_config(5) are not subject to these
restrictions, allowing configurations that use strange names to
continue to be used, under the assumption that the user knows what
they are doing in their own configuration files.
Potentially incompatible changes
--------------------------------
* ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
a TCP-like window mechanism that limits the amount of data that
can be sent without acceptance from the peer. In cases where this
limit was exceeded by a non-conforming peer SSH implementation,
ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH
9.6, ssh(1)/sshd(8) will now terminate the connection if a peer
exceeds the window limit by more than a small grace factor. This
change should have no effect of SSH implementations that follow
the specification.
New features
------------
* ssh(1): add a %j token that expands to the configured ProxyJump
hostname (or the empty string if this option is not being used)
that can be used in a number of ssh_config(5) keywords. bz3610
* ssh(1): add ChannelTimeout support to the client, mirroring the
same option in the server and allowing ssh(1) to terminate
quiescent channels.
* ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for
reading ED25519 private keys in PEM PKCS8 format. Previously
only the OpenSSH private key format was supported.
* ssh(1), sshd(8): introduce a protocol extension to allow
renegotiation of acceptable signature algorithms for public key
authentication after the server has learned the username being
used for authentication. This allows varying sshd_config(5)
PubkeyAcceptedAlgorithms in a "Match user" block.
* ssh-add(1), ssh-agent(1): add an agent protocol extension to allow
specifying certificates when loading PKCS#11 keys. This allows the
use of certificates backed by PKCS#11 private keys in all OpenSSH
tools that support ssh-agent(1). Previously only ssh(1) supported
this use-case.
Bugfixes
--------
* ssh(1): when deciding whether to enable the keystroke timing
obfuscation, enable it only if a channel with a TTY is active.
* ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals
before checking flags set in signal handler. Avoids potential
race condition between signaling ssh to exit and polling. bz3531
* ssh(1): when connecting to a destination with both the
AddressFamily and CanonicalizeHostname directives in use,
the AddressFamily directive could be ignored. bz5326
* sftp(1): correct handling of the limits@openssh.com option when
the server returned an unexpected message.
* A number of fixes to the PuTTY and Dropbear regress/integration
tests.
* ssh(1): release GSS OIDs only at end of authentication, avoiding
unnecessary init/cleanup cycles. bz2982
* ssh_config(5): mention "none" is a valid argument to IdentityFile
in the manual. bz3080
* scp(1): improved debugging for paths from the server rejected for
not matching the client's glob(3) pattern in old SCP/RCP protocol
mode.
* ssh-agent(1): refuse signing operations on destination-constrained
keys if a previous session-bind operation has failed. This may
prevent a fail-open situation in future if a user uses a mismatched
ssh(1) client and ssh-agent(1) where the client supports a key type
that the agent does not support.
Portability
-----------
* Better identify unsupported and unstable compiler flags, such as
-fzero-call-used-regs which has been unstable across a several
clang releases.
* A number of fixes to regression test reliability and log
collection.
* Update the OpenSSL dependency in the RPM specification.
* sshd(8): for OpenSolaris systems that support privilege limitation
via the getpflags() interface, prefer using the newer PRIV_XPOLICY
to PRIV_LIMIT. bz2833
Checksums:
==========
- SHA1 (openssh-9.6.tar.gz) = a6d4cb69811e879e2f158c2e597fd9f444b26506
- SHA256 (openssh-9.6.tar.gz) = nejPUhSnG1R1sOmIBi/t+HMNvsRqfN/DJgjwIU2tvqg=
- SHA1 (openssh-9.6p1.tar.gz) = de300d09ec79fdbf37de4e6672cce4161439f2c3
- SHA256 (openssh-9.6p1.tar.gz) = kQIRwHJVqMWtZUORtA7lmABxDdgRndU2LeCThap6d3w=
Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
Reporting Bugs:
===============
- Please read https://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com
component name component version component license component source
Changelog
We have released LibreSSL 3.8.2, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. This is the
first stable release for the 3.8.x branch, also available with OpenBSD 7.4
It includes the following changes from LibreSSL 3.8.1
* Portable changes
- Fixed processor detection for CMake targets.
Thanks to @jiegec from github.
- Enabled building oscpcheck with MSVC.
Thanks to @FtZPetruska from github.
- Improve CMake package detection and installation.
Thanks to @mark-groundctl from github.
- Fixed assembly optimizations on x64 Windows targets.
- Allow disabling warnings about WINCRYPT overrides.
- Use system arc4random on FreeBSD 12 and newer.
* Documentation improvements
- Documented the RFC 3779 API.
* Compatibility changes
- Restrict the RFC 3779 code to IPv4 and IPv6. It was not written
to be able to deal with anything else.
- Fixed EVP_CIPHER_CTX_iv_length() to return what was set with
EVP_CTRL_AEAD_SET_IVLEN or one of its aliases.
* Bug fixes
- Fixed EVP_PKEY_get{0,1}_RSA for RSA-PSS.
- Plug a potential memory leak in ASN1_TIME_normalize().
- Avoid memory leak in EVP_CipherInit().
- Redirect EVP_PKEY_get1_* through their get0 siblings.
- Fixed a use of uninitialized in i2r_IPAddrBlocks().
- Rewrote CMS_SignerInfo_{sign,verify}().
- Further cleanup and refactoring in the EC code.
- Allow IP addresses to be specified in a URI.
- Fixed a copy-paste error in ASN1_TIME_compare() that could lead
to two UTCTimes or two GeneralizedTimes incorrectly being compared
as equal.
The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.
component name component version component license component source
Changelog
OpenSSH 9.5 was released on 2023-10-04. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html
Changes since OpenSSH 9.4
=========================
This release fixes a number of bugs and adds some small features.
Potentially incompatible changes
--------------------------------
* ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys
are very convenient due to their small size. Ed25519 keys are
specified in RFC 8709 and OpenSSH has supported them since version 6.5
(January 2014).
* sshd(8): the Subsystem directive now accurately preserves quoting of
subsystem commands and arguments. This may change behaviour for exotic
configurations, but the most common subsystem configuration
(sftp-server) is unlikely to be affected.
New features
------------
* ssh(1): add keystroke timing obfuscation to the client. This attempts
to hide inter-keystroke timings by sending interactive traffic at
fixed intervals (default: every 20ms) when there is only a small
amount of data being sent. It also sends fake "chaff" keystrokes for
a random interval after the last real keystroke. These are
controlled by a new ssh_config ObscureKeystrokeTiming keyword.
* ssh(1), sshd(8): Introduce a transport-level ping facility. This adds
a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to
implement a ping capability. These messages use numbers in the "local
extensions" number space and are advertised using a "ping@openssh.com"
ext-info message with a string version number of "0".
* sshd(8): allow override of Subsystem directives in sshd Match blocks.
Bugfixes
--------
* scp(1): fix scp in SFTP mode recursive upload and download of
directories that contain symlinks to other directories. In scp mode,
the links would be followed, but in SFTP mode they were not. bz3611
* ssh-keygen(1): handle cr+lf (instead of just cr) line endings in
sshsig signature files.
* ssh(1): interactive mode for ControlPersist sessions if they
originally requested a tty.
* sshd(8): make PerSourceMaxStartups first-match-wins
* sshd(8): limit artificial login delay to a reasonable maximum (5s)
and don't delay at all for the "none" authentication mechanism.cw
bz3602
* sshd(8): Log errors in kex_exchange_identification() with level
verbose instead of error to reduce preauth log spam. All of those
get logged with a more generic error message by sshpkt_fatal().
* sshd(8): correct math for ClientAliveInterval that caused the probes
to be sent less frequently than configured.
* ssh(1): fix regression in OpenSSH 9.4 (mux.c r1.99) that caused
multiplexed sessions to ignore SIGINT under some circumstances.
Portability
-----------
* Avoid clang zero-call-used-regs=all bug on Apple compilers, which
for some reason have version numbers that do not match the upstream
clang version numbers. bz#3584
* Fix configure test for zlib 1.3 and later/development versions. bz3604
Checksums:
==========
- SHA1 (openssh-9.5.tar.gz) = 8a0bd3a91fac338d97d91817af58df731f6509a3
- SHA256 (openssh-9.5.tar.gz) = sVMxeM3d6g65qBMktJIofxmK4Ipg9dblKif0VnhPeO0=
- SHA1 (openssh-9.5p1.tar.gz) = 35c16dcc6e7d0a9465faa241476ef24f76b196cc
- SHA256 (openssh-9.5p1.tar.gz) = 8Cbnt5un+1QPdRgq+W3IqPHbOV+SK7yfbKYDZyaGCGs=
Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
Reporting Bugs:
===============
- Please read https://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com
component name component version component license component source
Changelog
component name component version component license component source
Changelog
Cygwin 3.4.8 (fixes 'Bad address' issue when running DOS programs as non-privileged users)
component name component version component license component source
Changelog
component name component version component license component source
Changelog
component name component version component license component source
Changelog
LibreSSL 3.7.3
Cygwin 3.4.7
component name component version component license component source
Changelog
LibreSSL 3.7.2
Cygwin 3.4.6
component name component version component license component source
Changelog
Fix - Installer finish page - Auto run doesn't work
New - Installer finish page - Option to create shortcut at desktop
component name component version component license component source
Changelog
OpenSSH 9.3p
LibreSSL 3.6.2
component name component version component license component source
Changelog
component name component version component license component source
Changelog
Changes since OpenSSH 9.1
=========================
This release fixes a number of security bugs.
Security
========
This release contains fixes for two security problems and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.
* sshd(8): fix a pre-authentication double-free memory fault
introduced in OpenSSH 9.1. This is not believed to be exploitable,
and it occurs in the unprivileged pre-auth process that is
subject to chroot(2) and is further sandboxed on most major
platforms.
* ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen option
would ignore its first argument unless it was one of the special
keywords "any" or "none", causing the permission list to fail open
if only one permission was specified. bz3515
* ssh(1): if the CanonicalizeHostname and CanonicalizePermittedCNAMEs
options were enabled, and the system/libc resolver did not check
that names in DNS responses were valid, then use of these options
could allow an attacker with control of DNS to include invalid
characters (possibly including wildcards) in names added to
known_hosts files when they were updated. These names would still
have to match the CanonicalizePermittedCNAMEs allow-list, so
practical exploitation appears unlikely. ....
component name component version component license component source
Changelog
LibreSSL 3.6.1
Cygwin 3.3.6
component name component version component license component source
Changelog
component name component version component license component source
Changelog
LibreSSL 3.5.3
Cygwin 3.3.5
Major tool update
component name component version component license component source
Changelog
OpenSSH 9.0p
LibreSSL 3.5.1
Cygwin 3.3.4
component name component version component license component source
Changelog
component name component version component license component source
Changelog
LibreSSL 3.4.2
Cygwin 3.3.3
component name component version component license component source
Changelog
Highlights:
- The internal implementation of pipes has been overhauled; this should result in improved performance. Addresses: https://cygwin.com/pipermail/cygwin/2021-August/249238.html
==========================================================================
IMPORTANT DEPRECATION NOTES
==========================================================================
- Cygwin 3.3.0 is the LAST major version supporting
- Windows Vista
- Windows Server 2008
- Cygwin 3.3.0 is the LAST major version supporting 32 bit installations.
component name component version component license component source
Changelog
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.1-relnotes.txt:
We have released LibreSSL 3.4.1, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. This is the
first stable release for the 3.4.x branch, also available with OpenBSD 7.0.
It includes the following changes from LibreSSL 3.3.x
* New Features
- Added support for OpenSSL 1.1.1 TLSv1.3 APIs.
- Enabled the new X.509 validator to allow verification of
modern certificate chains.
* Portable Improvements
- Added Universal Windows Platform (UWP) build support.
- Fixed mingw-w64 builds on newer versions with missing SSP support.
* API and Documentation Enhancements
- Added the following APIs from OpenSSL
BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve
EC_GROUP_order_bits EC_GROUP_set_curve
EC_POINT_get_affine_coordinates
EC_POINT_set_affine_coordinates
EC_POINT_set_compressed_coordinates EVP_DigestSign
EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey
SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method
SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data
SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher
SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable
SSL_SESSION_set_max_early_data SSL_get_early_data_status
SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio
SSL_set_ciphersuites SSL_set_max_early_data
SSL_set_post_handshake_auth
SSL_set_psk_use_session_callback
SSL_verify_client_post_handshake SSL_write_early_data
- Added AES-GCM constants from RFC 7714 for SRTP.
* Compatibility Changes
- Implement flushing for TLSv1.3 handshakes behavior, needed for Apache.
- Call the info callback on connect/accept exit in TLSv1.3,
needed for p5-Net-SSLeay.
- Default to using named curve parameter encoding from
pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE.
- Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback.
* Testing and Proactive Security
- Added additional state machine test coverage.
- Improved integration test support with ruby/openssl tests.
- Error codes and callback support in new X.509 validator made
compatible with p5-Net_SSLeay tests.
* Internal Improvements
- Numerous fixes and improvements to the new X.509 validator to
ensure compatible error codes and callback support compatible
with the legacy OpenSSL validator.
The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.
component name component version component license component source
Changelog
Security
========
sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
supplemental groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the
command as a different user. Instead these commands would inherit
the groups that sshd(8) was started with.
Depending on system configuration, inherited groups may allow
AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
gain unintended privilege.
Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
enabled by default in sshd_config(5).
Potentially-incompatible changes
================================
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K
For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.
Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:
Host old-host
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).
"SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf
component name component version component license component source
Changelog
component name component version component license component source
Changelog
OpenSSH 8.6p
LibreSSL 3.3.3
Cygwin 3.2.0
component name component version component license component source
Changelog
OpenSSH 8.5p
LibreSSL 3.2.4
component name component version component license component source
Changelog
Use a built-in password generator instead of an external tool
component name component version component license component source
Changelog
component name component version component license component source
Changelog
Copssh version 7.4.0 installers come with OpenSSH 8.4p(link is external) and LibreSSL 3.1.4(link is external) . Cygwin and GNU tools are also upgraded.
Future deprecation notice
=========================
It is now possible to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.
This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.
The better alternatives include:
* The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
algorithms have the advantage of using the same key type as
"ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
supported since OpenSSH 7.2 and are already used by default if the
client and server support them.
* The ssh-ed25519 signature algorithm. It has been supported in
OpenSSH since release 6.5.
* The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
have been supported by OpenSSH since release 5.7.
To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:
ssh -oHostKeyAlgorithms=-ssh-rsa user@host
If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.
We intend to enable UpdateHostKeys by default in the next OpenSSH
release. This will assist the client by automatically migrating to
better algorithms. Users may consider enabling this option manually.
"SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf
Security
========
* ssh-agent(1): restrict ssh-agent from signing web challenges for
FIDO/U2F keys.
When signing messages in ssh-agent using a FIDO key that has an
application string that does not start with "ssh:", ensure that the
message being signed is one of the forms expected for the SSH protocol
(currently public key authentication and sshsig signatures).
This prevents ssh-agent forwarding on a host that has FIDO keys
attached granting the ability for the remote side to sign challenges
for web authentication using those keys too.
Note that the converse case of web browsers signing SSH challenges is
already precluded because no web RP can have the "ssh:" prefix in the
application string that we require.
* ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating
a FIDO resident key.
The recent FIDO 2.1 Client to Authenticator Protocol introduced a
"credProtect" feature to better protect resident keys. We use this
option to require a PIN prior to all operations that may retrieve
a resident key from a FIDO token.
component name component version component license component source
Changelog Copssh version 7.3.0 installers come with OpenSSH 8.3p and LibreSSL 3.1.2 . (Due to version bump-up from LibreSSL 3.0.2 at our side, you may also be interested in release notes for 3.1.1 and 3.1.0 as well).
Security
========
* scp(1): when receiving files, scp(1) could be become desynchronised
if a utimes(2) system call failed. This could allow file contents
to be interpreted as file metadata and thereby permit an adversary
to craft a file system that, when copied with scp(1) in a
configuration that caused utimes(2) to fail (e.g. under a SELinux
policy or syscall sandbox), transferred different file names and
contents to the actual file system layout.
Exploitation of this is not likely as utimes(2) does not fail under
normal circumstances. Successful exploitation is not silent - the
output of scp(1) would show transfer errors followed by the actual
file(s) that were received.
Finally, filenames returned from the peer are (since openssh-8.0)
matched against the user's requested destination, thereby
disallowing a successful exploit from writing files outside the
user's selected target glob (or directory, in the case of a
recursive transfer). This ensures that this attack can achieve no
more than a hostile peer is already able to achieve within the scp protocol
Changelog Copssh version 7.2.0 installers come with OpenSSH 8.2p , LibreSSL 3.0.2 and most recent versions of Cygwin and GNU tools. We have also updated Copssh Control Panel with some minor fixes.
-- Incompatibility note for Copssh versions 6.x and earlier --
As of version 7.0, Copssh uses Cygwin 3.x libraries, introducing major and backwards-incompatible changes, thus requiring a reinstallation. You can follow our instructions here , to refresh your installation withour losing your existing setup.
Thanks to major changes in Cygwin, Copssh doesn't need a dedicated service account any longer and is run by the local system account.
The logic behind the sftp home directory isolation is now improved by introducing symbolic link folders: Each activated user gets a symbolic link folder /home/___username , pointing to the home directory provided via the User Activation wizard, resulting with a more stable and less error-prone solution. A small patch avoiding messages "bad ownership or modes for chroot directory" (non-relevant for a Copssh installation), is also introduced. NB! As always mentioned, even if the home directory isolation works as expected, you should use NTFS permissions on your file systems to achieve better security.
--- Potentially-incompatible changes in OpenSSH 8.2.0
This release includes a number of changes that may affect existing
configurations:
* ssh(1), sshd(8): the above removal of "ssh-rsa" from the accepted
CASignatureAlgorithms list.
* ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1
from the default key exchange proposal for both the client and
server.
* ssh-keygen(1): the command-line options related to the generation
and screening of safe prime numbers used by the
diffie-hellman-group-exchange-* key exchange algorithms have
changed. Most options have been folded under the -O flag.
* sshd(8): the sshd listener process title visible to ps(1) has
changed to include information about the number of connections that
are currently attempting authentication and the limits configured
by MaxStartups.
* ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one). It needs to be installed
in the expected path, typically under /usr/libexec or similar.
Changelog Copssh version 7.1.0 installers come with OpenSSH 8.1(link is external) with some security related updates:
ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): an exploitable integer overflow bug was found in the private key parsing code for the XMSS key type. This key type is still experimental and support for it is not compiled by default. No user-facing autoconf option exists in portable OpenSSH to enable it. This bug was found by Adam Zabrocki and reported via SecuriTeam's SSD program.
ssh(1), sshd(8), ssh-agent(1): add protection for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown and Rambleed. This release encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large "prekey" consisting of random data (currently 16KB).
LibreSSL is also updated to 3.0.1(link is external) , including a port of Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1.
-- Incompatibility note for Copssh versions 6.x and earlier --
As of version 7.0, Copssh uses Cygwin 3.x libraries, introducing major and backwards-incompatible changes, thus requiring a reinstallation. You can follow our instructions here , to refresh your installation withour losing your existing setup.
Thanks to major changes in Cygwin, Copssh doesn't need a dedicated service account any longer and is run by the local system account.
The logic behind the sftp home directory isolation is now improved by introducing symbolic link folders: Each activated user gets a symbolic link folder /home/___username , pointing to the home directory provided via the User Activation wizard, resulting with a more stable and less error-prone solution. A small patch(link is external) avoiding messages "bad ownership or modes for chroot directory" (non-relevant for a Copssh installation), is also introduced. NB! As always mentioned, even if the home directory isolation works as expected, you should use NTFS permissions on your file systems to achieve better security.
Changelog Copssh version 7.0.0 installers come with the latest Cygwin 3.x libraries, introducing major and backwards-incompatible changes, requiring a reinstallation. You can follow our instructions here , to refresh your installation withour losing your existing setup.
Thanks to major changes in Cygwin, Copssh doesn't need a dedicated service account any longer and is run by the local system account.
The logic behind the sftp home directory isolation is now improved by introducing symbolic link folders: Each activated user gets a symbolic link folder /home/___username , pointing to the home directory provided via the User Activation wizard, resulting with a more stable and less error-prone solution. A small patch(link is external) avoiding messages "bad ownership or modes for chroot directory" (non-relevant for a Copssh installation), is also introduced. NB! As always mentioned, even if the home directory isolation works as expected, you should use NTFS permissions on your file systems to achieve better security.
Changelog
Copssh version 6.5.0 installers come with OpenSSH 8.0p1 , which contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111), in addition to many new features and bug fixes. SSL Library LibreSSL is also updated to its latest available version, 2.9.1 . Copssh Control Panel displays now related eventlog entries in local time instead of GMT, and the password length for the service account and the privilege separation account is increased to 36 chars (lower and uppercase and digits). The Copssh product bundle has now only installers with 64-bit binaries. 32-bit binaries are not offered any longer.
Changelog
Copssh version 6.4.0 installers come with OpenSSH 7.9p1 which is primarily a bug fix release. SSL Library LibreSSL is also updated to its latest available version, 2.8.2 ., in addition to Cygwin and GNU tools which have got a major refresh.
Changelog
Copssh version 6.3.0 installers come with OpenSSH 7.8p1 including a patch addressing CVE-2018-15473 . It is not marked as a security update by the OpenSSH team, as they consider it as a partial disclosure of non-sensitive information .
CHANGES:
Potentially-incompatible changes
This release includes a number of changes that may affect existing configurations:
* ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key.
* sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth.
* ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime.
* sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options).
* sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd.
* ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
Changes since OpenSSH 7.7
This is primarily a bugfix release.
New Features
* ssh(1)/sshd(8): add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com " and "rsa-sha2-512-cert-v01@openssh.com " to explicitly force use of RSA/SHA2 signatures in authentication.
* sshd(8): extend the PermitUserEnvironment option to accept a whitelist of environment variable names in addition to global "yes" or "no" settings.
* sshd(8): add a PermitListen directive to sshd_config(5) and a corresponding permitlisten= authorized_keys option that control which listen addresses and port numbers may be used by remote forwarding (ssh -R ...).
* sshd(8): add some countermeasures against timing attacks used for account validation/enumeration. sshd will enforce a minimum time or each failed authentication attempt consisting of a global 5ms minimum plus an additional per-user 0-4ms delay derived from a host secret.
* sshd(8): add a SetEnv directive to allow an administrator to explicitly specify environment variables in sshd_config. Variables set by SetEnv override the default and client-specified environment.
* ssh(1): add a SetEnv directive to request that the server sets an environment variable in the session. Similar to the existing SendEnv option, these variables are set subject to server configuration.
* ssh(1): allow "SendEnv -PATTERN" to clear environment variables previously marked for sending to the server. bz#1285
* ssh(1)/sshd(8): make UID available as a %-expansion everywhere that the username is available currently. bz#2870
* ssh(1): allow setting ProxyJump=none to disable ProxyJump functionality. bz#2869
Bugfixes
* sshd(8): avoid observable differences in request parsing that could be used to determine whether a target user is valid.
* all: substantial internal refactoring
* ssh(1)/sshd(8): fix some memory leaks; bz#2366
* ssh(1): fix a pwent clobber (introduced in openssh-7.7) that could occur during key loading, manifesting as crash on some platforms.
* sshd_config(5): clarify documentation for AuthenticationMethods option; bz#2663
* ssh(1): ensure that the public key algorithm sent in a public key SSH_MSG_USERAUTH_REQUEST matches the content of the signature blob. Previously, these could be inconsistent when a legacy or non-OpenSSH ssh-agent returned a RSA/SHA1 signature when asked to make a RSA/SHA2 signature.
* sshd(8): fix failures to read authorized_keys caused by faulty supplemental group caching. bz#2873
* scp(1): apply umask to directories, fixing potential mkdir/chmod race when copying directory trees bz#2839
* ssh-keygen(1): return correct exit code when searching for and hashing known_hosts entries in a single operation; bz#2772
* ssh(1): prefer the ssh binary pointed to via argv[0] to $PATH when re-executing ssh for ProxyJump. bz#2831
* sshd(8): do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog. (regression in openssh-7.7).
* ssh(1)/sshd(8): fix error reporting from select() failures.
* ssh(1): improve documentation for -w (tunnel) flag, emphasising that -w implicitly sets Tunnel=point-to-point. bz#2365
* ssh-agent(1): implement EMFILE mitigation for ssh-agent. ssh-agent will no longer spin when its file descriptor limit is exceeded. bz#2576
* ssh(1)/sshd(8): disable SSH2_MSG_DEBUG messages for Twisted Conch clients. Twisted Conch versions that lack a version number in their identification strings will mishandle these messages when running on Python 2.x (https://twistedmatrix.com/trac/ticket/9422 )
* sftp(1): notify user immediately when underlying ssh process dies expectedly. bz#2719
* ssh(1)/sshd(8): fix tunnel forwarding; regression in 7.7 release. bz#2855
* ssh-agent(1): don't kill ssh-agent's listening socket entirely if it fails to accept(2) a connection. bz#2837
* sshd(8): relax checking of authorized_keys environment="..." options to allow underscores in variable names (regression introduced in 7.7). bz#2851
* ssh(1): add some missing options in the configuration dump output (ssh -G). bz#2835
Portability
* sshd(8): Expose details of completed authentication to PAM auth modules via SSH_AUTH_INFO_0 in the PAM environment. bz#2408
* Fix compilation problems caused by fights between zlib and OpenSSL colliding uses of "free_func"
* Improve detection of unsupported compiler options. Recently these may have manifested as "unsupported -Wl,-z,retpoline" warnings during linking.
* sshd(8): some sandbox support for Linux/s390 bz#2752.
* regress tests: unbreak key-options.sh test on platforms without openpty(3). bz#2856
* use getrandom(2) for PRNG seeding when built without OpenSSL.
Changelog
Copssh version 6.2.2 installers come with LibreSSL 2.7.4 which is a security update with the following changes:
Avoid a timing side-channel leak when generating DSA and ECDSA signatures. This is caused by an attempt to do fast modular arithmetic, which introduces branches that leak information regarding secret values. Issue identified and reported by Keegan Ryan of NCC Group.
Reject excessively large primes in DH key generation. Problem reported by Guido Vranken to OpenSSL (https://github.com/openssl/openssl/pull/6457 ) and based on his diff.
Changelog
Copssh version 6.2.1 installers come with LibreSSL 2.7.3 and an updated cygwin1.dll (2.10.1 - 20180214), which fixes a newly introduced bug causing files with temporary flag on being not visible for operations. See here for more information.
Changelog
Copssh version 6.2.0 installers contain OpenSSH 7.7p which is primarily a bugfix release. Major relevant changes:
ssh(1)/sshd(8): Drop compatibility support for some very old SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These versions were all released in or before 2001 and predate the final SSH RFCs. The support in question isn't necessary for RFC-compliant SSH implementations.
sshd(8): Add "expiry-time" option for authorized_keys files to allow for expiring keys.
ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g. ssh://user@host or sftp://user@host/path . Additional connection parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the ssh fingerprint format in the draft uses the deprecated MD5 hash with no way to specify the any other algorithm.
Changelog
Copssh version 6.1.3 comes with the latest version of LibreSSL (2.7.2 ). Cygwin and other GNU tools are also updated to their latest available version.
Changelog
Copssh version 6.1.2 comes with the latest version of LibreSSL (2.6.4 ). A predefined working directory (inst_directory \_work ) is now used to unpack subinstallers and other installer tools, allowing anti malware/virus programs for exclusion in a deterministic way if necessary. Working directory will be removed upon a successful installation.
Changelog
Copssh version 6.1.1 comes with the latest version LibreSSL (2.6.3 ). Upgrade logic in our installers are also improved.
Changelog
Copssh version 6.1.0 comes with the latest versions of OpenSSH (7.6 ) and LibreSSL (2.5.5 ). We have also updated the Cygwin and GNU Tools to their latest available versions.
Security issue:
sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski.
Potentially-incompatible changes in OpenSSH:
This release includes a number of changes that may affect existing configurations:
ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation.
ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC.
ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers.
Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement.
ssh(1): do not offer CBC ciphers by default.
Changelog
Copssh version 6.0.0 is a major update and uses now LibreSSL instead of OpenSSL as the cryptographic library provider.
LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and applying best practice development processes. Primary development occurs inside the OpenBSD source tree with the usual care the project is known for. On a regular basis the code is re-packaged for portable use by other operating systems (Linux, FreeBSD, Windows, etc).
See https://en.wikipedia.org/wiki/LibreSSL for more detailed information.
We have also upgraded Cygwin and GNU tools to their latest available versions.
Changelog
Copssh version 5.9.0 bundle contains latest versions of OpenSSH (7.5p1 ), OpenSSL (1.0.1k ), Cygwin and GNU tools. Installers use now quoted service executable paths to avoid potential misuse of unquoted path vulnerabilities .
OpenSSH Security fixes:
ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed. Note that the OpenSSH client disables CBC ciphers by default, sshd offers them as lowest-preference options and will remove them by default entriely in the next release. Reported by Jean Paul Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of Royal Holloway, University of London.
sftp-client(1): [portable OpenSSH only] On Cygwin, a client making a recursive file transfer could be maniuplated by a hostile server to perform a path-traversal attack. creating or modifying files outside of the intended target directory. Reported by Jann Horn of Google Project Zero.
OpenSSL Security fixes:
Truncated packet could crash via OOB read (CVE-2017-3731)
BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
Montgomery multiplication may produce incorrect results (CVE-2016-7055)
Changelog
Copssh version 5.8.1 bundle contains server installers with improved support for domain based service accounts. We have also updated the Control Panel to configure many advanced server-wide options through the GUI. User specific advanced options are also updated to support more options. Lack of proper permissions on the host private keys are now fixed so that they are only visible to the service account.
Changelog
Copssh version 5.8.0 bundle contains 32/64-bit client/server installers containing the latest OpenSSH 7.4p1 with potentially-incompatible changes, security and bug fixes:
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* This release removes server support for the SSH v.1 protocol.
* ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
block ciphers are not safe in 2016 and we don't want to wait until
attacks like SWEET32 are extended to SSH. As 3des-cbc was the
only mandatory cipher in the SSH RFCs, this may cause problems
connecting to older devices using the default configuration,
but it's highly likely that such devices already need explicit
configuration for key exchange and hostkey algorithms already
anyway.
* sshd(8): Remove support for pre-authentication compression.
Doing compression early in the protocol probably seemed reasonable
in the 1990s, but today it's clearly a bad idea in terms of both
cryptography (cf. multiple compression oracle attacks in TLS) and
attack surface. Pre-auth compression support has been disabled by
default for >10 years. Support remains in the client.
* ssh-agent will refuse to load PKCS#11 modules outside a whitelist
of trusted paths by default. The path whitelist may be specified
at run-time.
* sshd(8): When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, sshd will now
refuse to accept the certificate unless they are identical.
The previous (documented) behaviour of having the certificate
forced-command override the other could be a bit confusing and
error-prone.
* sshd(8): Remove the UseLogin configuration directive and support
for having /bin/login manage login sessions.
Changes since OpenSSH 7.3
=========================
This is primarily a bugfix release.
Security
--------
* ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
outside a trusted whitelist (run-time configurable). Requests to
load modules could be passed via agent forwarding and an attacker
could attempt to load a hostile PKCS#11 module across the forwarded
agent channel: PKCS#11 modules are shared libraries, so this would
result in code execution on the system running the ssh-agent if the
attacker has control of the forwarded agent-socket (on the host
running the sshd server) and the ability to write to the filesystem
of the host running ssh-agent (usually the host running the ssh
client). Reported by Jann Horn of Project Zero.
* sshd(8): When privilege separation is disabled, forwarded Unix-
domain sockets would be created by sshd(8) with the privileges of
'root' instead of the authenticated user. This release refuses
Unix-domain socket forwarding when privilege separation is disabled
(Privilege separation has been enabled by default for 14 years).
Reported by Jann Horn of Project Zero.
* sshd(8): Avoid theoretical leak of host private key material to
privilege-separated child processes via realloc() when reading
keys. No such leak was observed in practice for normal-sized keys,
nor does a leak to the child processes directly expose key material
to unprivileged users. Reported by Jann Horn of Project Zero.
* sshd(8): The shared memory manager used by pre-authentication
compression support had a bounds checks that could be elided by
some optimising compilers. Additionally, this memory manager was
incorrectly accessible when pre-authentication compression was
disabled. This could potentially allow attacks against the
privileged monitor process from the sandboxed privilege-separation
process (a compromise of the latter would be required first).
This release removes support for pre-authentication compression
from sshd(8). Reported by Guido Vranken using the Stack unstable
optimisation identification tool (http://css.csail.mit.edu/stack/ )
* sshd(8): Fix denial-of-service condition where an attacker who
sends multiple KEXINIT messages may consume up to 128MB per
connection. Reported by Shi Lei of Gear Team, Qihoo 360.
* sshd(8): Validate address ranges for AllowUser and DenyUsers
directives at configuration load time and refuse to accept invalid
ones. It was previously possible to specify invalid CIDR address
ranges (e.g. user@127.1.2.3/55) and these would always match,
possibly resulting in granting access where it was not intended.
Reported by Laurence Parry.
New Features
------------
* ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the
version in PuTTY by Simon Tatham. This allows a multiplexing
client to communicate with the master process using a subset of
the SSH packet and channels protocol over a Unix-domain socket,
with the main process acting as a proxy that translates channel
IDs, etc. This allows multiplexing mode to run on systems that
lack file- descriptor passing (used by current multiplexing
code) and potentially, in conjunction with Unix-domain socket
forwarding, with the client and multiplexing master process on
different machines. Multiplexing proxy mode may be invoked using
"ssh -O proxy ..."
* sshd(8): Add a sshd_config DisableForwarding option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well
as anything else we might implement in the future. Like the
'restrict' authorized_keys flag, this is intended to be a simple
and future-proof way of restricting an account.
* sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
method. This is identical to the currently-supported method named
"curve25519-sha256@libssh.org ".
* sshd(8): Improve handling of SIGHUP by checking to see if sshd is
already daemonised at startup and skipping the call to daemon(3)
if it is. This ensures that a SIGHUP restart of sshd(8) will
retain the same process-ID as the initial execution. sshd(8) will
also now unlink the PidFile prior to SIGHUP restart and re-create
it after a successful restart, rather than leaving a stale file in
the case of a configuration error. bz#2641
* sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
directives to appear in sshd_config Match blocks.
* sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match
those supported by AuthorizedKeysCommand (key, key type,
fingerprint, etc.) and a few more to provide access to the
contents of the certificate being offered.
* Added regression tests for string matching, address matching and
string sanitisation functions.
* Improved the key exchange fuzzer harness.
Bugfixes
--------
* ssh(1): Allow IdentityFile to successfully load and use
certificates that have no corresponding bare public key. bz#2617
certificate id_rsa-cert.pub (and no id_rsa.pub).
* ssh(1): Fix public key authentication when multiple
authentication is in use and publickey is not just the first
method attempted. bz#2642
* regress: Allow the PuTTY interop tests to run unattended. bz#2639
* ssh-agent(1), ssh(1): improve reporting when attempting to load
keys from PKCS#11 tokens with fewer useless log messages and more
detail in debug messages. bz#2610
* ssh(1): When tearing down ControlMaster connections, don't
pollute stderr when LogLevel=quiet.
* sftp(1): On ^Z wait for underlying ssh(1) to suspend before
suspending sftp(1) to ensure that ssh(1) restores the terminal mode
correctly if suspended during a password prompt.
* ssh(1): Avoid busy-wait when ssh(1) is suspended during a password
prompt.
* ssh(1), sshd(8): Correctly report errors during sending of ext-
info messages.
* sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
sequence NEWKEYS message.
* sshd(8): Correct list of supported signature algorithms sent in
the server-sig-algs extension. bz#2547
* sshd(8): Fix sending ext_info message if privsep is disabled.
* sshd(8): more strictly enforce the expected ordering of privilege
separation monitor calls used for authentication and allow them
only when their respective authentication methods are enabled
in the configuration
* sshd(8): Fix uninitialised optlen in getsockopt() call; harmless
on Unix/BSD but potentially crashy on Cygwin.
* Fix false positive reports caused by explicit_bzero(3) not being
recognised as a memory initialiser when compiled with
-fsanitize-memory.
* sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for
configuration examples.
Portability
-----------
* On environments configured with Turkish locales, fall back to the
C/POSIX locale to avoid errors in configuration parsing caused by
that locale's unique handling of the letters 'i' and 'I'. bz#2643
* sftp-server(8), ssh-agent(1): Deny ptrace on OS X using
ptrace(PT_DENY_ATTACH, ..)
* ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL.
* Fix compilation for libcrypto compiled without RIPEMD160 support.
* contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640
* sshd(8): Improve PRNG reseeding across privilege separation and
force libcrypto to obtain a high-quality seed before chroot or
sandboxing.
* All: Explicitly test for broken strnvis. NetBSD added an strnvis
and unfortunately made it incompatible with the existing one in
OpenBSD and Linux's libbsd (the former having existed for over ten
years). Try to detect this mess, and assume the only safe option
if we're cross compiling.
Changelog
Copssh version 5.7.0 bundle contains 32/64-bit client/server installers containing OpenSSL 1.0.2j with security fixes, Cygwin and GNU Tools with their latest available versions. As a result of that update, Windows XP/2003 are not supported any longer. Our installer logic is also updated resulting with about some size decrease and more secure service account setup.
Changelog
Copssh version 5.6.0 bundle contains 32/64-bit client/server installers containing recently released OpenSSH 7.3p1 .
Changelog
Copssh version 5.5.3 bundle contains 32/64-bit client/server installers containing OpenSSL 1.0.2h . Cygwin and related GNU tools are also updated to their latest available versions.
Changelog
Copssh version 5.5.1 bundle contains 32/64-bit client/server installers containing OpenSSL 1.0.2g :
OpenSSL Security Advisory [1st March 2016]
=========================================
NOTE: With this update, OpenSSL is disabling the SSLv2 protocol by default, as
well as removing SSLv2 EXPORT ciphers. We strongly advise against the use of
SSLv2 due not only to the issues described below, but to the other known
deficiencies in the protocol as described at
https://tools.ietf.org/html/rfc6176
Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
================================================================
Severity: High
A cross-protocol attack was discovered that could lead to decryption of TLS
sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
Bleichenbacher RSA padding oracle. Note that traffic between clients and
non-vulnerable servers can be decrypted provided another server supporting
SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or
POP) shares the RSA keys of the non-vulnerable server. This vulnerability is
known as DROWN (CVE-2016-0800).
Recovering one session key requires the attacker to perform approximately 2^50
computation, as well as thousands of connections to the affected server. A more
efficient variant of the DROWN attack exists against unpatched OpenSSL servers
using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on
19/Mar/2015 (see CVE-2016-0703 below).
Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS
servers, if they've not done so already. Disabling all SSLv2 ciphers is also
sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and
1.0.2f) have been deployed. Servers that have not disabled the SSLv2 protocol,
and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2
ciphers are nominally disabled, because malicious clients can force the use of
SSLv2 with EXPORT ciphers.
OpenSSL 1.0.2g and 1.0.1s deploy the following mitigation against DROWN:
SSLv2 is now by default disabled at build-time. Builds that are not configured
with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will
need to explicitly call either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
as appropriate. Even if either of those is used, or the application explicitly
uses the version-specific SSLv2_method() or its client or server variants,
SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed.
Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no
longer available.
In addition, weak ciphers in SSLv3 and up are now disabled in default builds of
OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will
not provide any "EXPORT" or "LOW" strength ciphers.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was reported to OpenSSL on December 29th 2015 by Nimrod Aviram and
Sebastian Schinzel. The fix was developed by Viktor Dukhovni and Matt Caswell
of OpenSSL.
Double-free in DSA code (CVE-2016-0705)
=======================================
Severity: Low
A double free bug was discovered when OpenSSL parses malformed DSA private keys
and could lead to a DoS attack or memory corruption for applications that
receive DSA private keys from untrusted sources. This scenario is considered
rare.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was reported to OpenSSL on February 7th 2016 by Adam Langley
(Google/BoringSSL) using libFuzzer. The fix was developed by Dr Stephen Henson
of OpenSSL.
Memory leak in SRP database lookups (CVE-2016-0798)
===================================================
Severity: Low
The SRP user database lookup method SRP_VBASE_get_by_user had
confusing memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no way of
distinguishing these two cases.
Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection. Servers that do not configure SRP, or
configure SRP but do not configure a seed are not vulnerable.
In Apache, the seed directive is known as SSLSRPUnknownUserSeed.
To mitigate the memory leak, the seed handling in
SRP_VBASE_get_by_user is now disabled even if the user has configured
a seed. Applications are advised to migrate to
SRP_VBASE_get1_by_user. However, note that OpenSSL makes no strong
guarantees about the indistinguishability of valid and invalid
logins. In particular, computations are currently not carried out in
constant time.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was discovered on February 23rd 2016 by Emilia Käsper of
the OpenSSL development team. Emilia Käsper also developed the fix.
BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
======================================================================
Severity: Low
In the BN_hex2bn function the number of hex digits is calculated using an int
value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values
of |i| this can result in |bn_expand| not allocating any memory because |i * 4|
is negative. This can leave the internal BIGNUM data field as NULL leading to a
subsequent NULL ptr deref. For very large values of |i|, the calculation |i * 4|
could be a positive value smaller than |i|. In this case memory is allocated to
the internal BIGNUM data field, but it is insufficiently sized leading to heap
corruption. A similar issue exists in BN_dec2bn. This could have security
consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with
very large untrusted hex/dec data. This is anticipated to be a rare occurrence.
All OpenSSL internal usage of these functions use data that is not expected to
be untrusted, e.g. config file data or application command line arguments. If
user developed applications generate config file data based on untrusted data
then it is possible that this could also lead to security consequences. This is
also anticipated to be rare.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was reported to OpenSSL on February 19th 2016 by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.
Fix memory issues in BIO_*printf functions (CVE-2016-0799)
==========================================================
Severity: Low
The internal |fmtstr| function used in processing a "%s" format string in the
BIO_*printf functions could overflow while calculating the length of a string
and cause an OOB read when printing very long strings.
Additionally the internal |doapr_outch| function can attempt to write to an OOB
memory location (at an offset from the NULL pointer) in the event of a memory
allocation failure. In 1.0.2 and below this could be caused where the size of a
buffer to be allocated is greater than INT_MAX. E.g. this could be in processing
a very long "%s" format string. Memory leaks can also occur.
The first issue may mask the second issue dependent on compiler behaviour.
These problems could enable attacks where large amounts of untrusted data is
passed to the BIO_*printf functions. If applications use these functions in this
way then they could be vulnerable. OpenSSL itself uses these functions when
printing out human-readable dumps of ASN.1 data. Therefore applications that
print this data could be vulnerable if the data is from untrusted sources.
OpenSSL command line applications could also be vulnerable where they print out
ASN.1 data, or if untrusted data is passed as command line arguments.
Libssl is not considered directly vulnerable. Additionally certificates etc
received via remote connections via libssl are also unlikely to be able to
trigger these issues because of message size limits enforced within libssl.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was reported to OpenSSL on February 23rd by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.
Side channel attack on modular exponentiation (CVE-2016-0702)
=============================================================
Severity: Low
A side-channel attack was found which makes use of cache-bank conflicts on the
Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA
keys. The ability to exploit this issue is limited as it relies on an attacker
who has control of code in a thread running on the same hyper-threaded core as
the victim thread which is performing decryptions.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s
This issue was reported to OpenSSL on Jan 8th 2016 by Yuval Yarom, The
University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv
University, and Nadia Heninger, University of Pennsylvania with more
information at http://cachebleed.info . The fix was developed by Andy Polyakov
of OpenSSL.
Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
================================================================
Severity: High
This issue only affected versions of OpenSSL prior to March 19th 2015 at which
time the code was refactored to address vulnerability CVE-2015-0293.
s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If
clear-key bytes are present for these ciphers, they *displace* encrypted-key
bytes. This leads to an efficient divide-and-conquer key recovery attack: if an
eavesdropper has intercepted an SSLv2 handshake, they can use the server as an
oracle to determine the SSLv2 master-key, using only 16 connections to the
server and negligible computation.
More importantly, this leads to a more efficient version of DROWN that is
effective against non-export ciphersuites, and requires no significant
computation.
This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all
earlier versions. It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf
(released March 19th 2015).
This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J.
Alex Halderman of the University of Michigan. The underlying defect had by
then already been fixed by Emilia Käsper of OpenSSL on March 4th 2015. The fix
for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d
(1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf).
Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
==============================================
Severity: Moderate
This issue only affected versions of OpenSSL prior to March 19th 2015 at which
time the code was refactored to address the vulnerability CVE-2015-0293.
s2_srvr.c overwrite the wrong bytes in the master-key when applying
Bleichenbacher protection for export cipher suites. This provides a
Bleichenbacher oracle, and could potentially allow more efficient variants of
the DROWN attack.
This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all
earlier versions. It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf
(released March 19th 2015).
This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J.
Alex Halderman of the University of Michigan. The underlying defect had by
then already been fixed by Emilia Käsper of OpenSSL on March 4th 2015. The fix
for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d
(1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf).
Note
====
As per our previous announcements and our Release Strategy
(https://www.openssl.org/policies/releasestrat.html ), support for OpenSSL
version 1.0.1 will cease on 31st December 2016. No security updates for that
version will be provided after that date. Users of 1.0.1 are advised to
upgrade.
Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those
versions are no longer receiving security updates.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20160301.txt
Note: the online version of the advisory may be updated with additional details
over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
Changelog
Copssh version 5.5.0 bundle contains 32/64-bit client/server installers with OpenSSH 7.2p1 .
OpenSSH 7.2 Release Notes:
OpenSSH 7.2 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support. OpenSSH also includes
transitional support for the legacy SSH 1.3 and 1.5 protocols
that may be enabled at compile-time.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html
Future deprecation notice
=========================
We plan on retiring more legacy cryptography in a near-future
release, specifically:
* Refusing all RSA keys smaller than 1024 bits (the current minimum
is 768 bits)
This list reflects our current intentions, but please check the final
release notes for future releases.
Potentially-incompatible changes
================================
This release disables a number of legacy cryptographic algorithms
by default in ssh:
* Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants
and the rijndael-cbc aliases for AES.
* MD5-based and truncated HMAC algorithms.
These algorithms are already disabled by default in sshd.
Changes since OpenSSH 7.1p2
===========================
This is primarily a bugfix release.
Security
--------
* ssh(1), sshd(8): remove unfinished and unused roaming code (was
already forcibly disabled in OpenSSH 7.1p2).
* ssh(1): eliminate fallback from untrusted X11 forwarding to
trusted forwarding when the X server disables the SECURITY
extension.
* ssh(1), sshd(8): increase the minimum modulus size supported for
diffie-hellman-group-exchange to 2048 bits.
* sshd(8): pre-auth sandboxing is now enabled by default (previous
releases enabled it for new installations via sshd_config).
New Features
------------
* all: add support for RSA signatures using SHA-256/512 hash
algorithms based on draft-rsa-dsa-sha2-256-03.txt and
draft-ssh-ext-info-04.txt.
* ssh(1): Add an AddKeysToAgent client option which can be set to
'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When
enabled, a private key that is used during authentication will be
added to ssh-agent if it is running (with confirmation enabled if
set to 'confirm').
* sshd(8): add a new authorized_keys option "restrict" that includes
all current and future key restrictions (no-*-forwarding, etc.).
Also add permissive versions of the existing restrictions, e.g.
"no-pty" -> "pty". This simplifies the task of setting up
restricted keys and ensures they are maximally-restricted,
regardless of any permissions we might implement in the future.
* ssh(1): add ssh_config CertificateFile option to explicitly list
certificates. bz#2436
* ssh-keygen(1): allow ssh-keygen to change the key comment for all
supported formats.
* ssh-keygen(1): allow fingerprinting from standard input, e.g.
"ssh-keygen -lf -"
* ssh-keygen(1): allow fingerprinting multiple public keys in a
file, e.g. "ssh-keygen -lf ~/.ssh/authorized_keys" bz#1319
* sshd(8): support "none" as an argument for sshd_config
Foreground and ChrootDirectory. Useful inside Match blocks to
override a global default. bz#2486
* ssh-keygen(1): support multiple certificates (one per line) and
reading from standard input (using "-f -") for "ssh-keygen -L"
* ssh-keyscan(1): add "ssh-keyscan -c ..." flag to allow fetching
certificates instead of plain keys.
* ssh(1): better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
hostname canonicalisation - treat them as already canonical and
remove the trailing '.' before matching ssh_config.
Bugfixes
--------
* sftp(1): existing destination directories should not terminate
recursive uploads (regression in openssh 6.8) bz#2528
* ssh(1), sshd(8): correctly send back SSH2_MSG_UNIMPLEMENTED
replies to unexpected messages during key exchange. bz#2949
* ssh(1): refuse attempts to set ConnectionAttempts=0, which does
not make sense and would cause ssh to print an uninitialised stack
variable. bz#2500
* ssh(1): fix errors when attempting to connect to scoped IPv6
addresses with hostname canonicalisation enabled.
* sshd_config(5): list a couple more options usable in Match blocks.
bz#2489
* sshd(8): fix "PubkeyAcceptedKeyTypes +..." inside a Match block.
* ssh(1): expand tilde characters in filenames passed to -i options
before checking whether or not the identity file exists. Avoids
confusion for cases where shell doesn't expand (e.g. "-i ~/file"
vs. "-i~/file"). bz#2481
* ssh(1): do not prepend "exec" to the shell command run by "Match
exec" in a config file, which could cause some commands to fail
in certain environments. bz#2471
* ssh-keyscan(1): fix output for multiple hosts/addrs on one line
when host hashing or a non standard port is in use bz#2479
* sshd(8): skip "Could not chdir to home directory" message when
ChrootDirectory is active. bz#2485
* ssh(1): include PubkeyAcceptedKeyTypes in ssh -G config dump.
* sshd(8): avoid changing TunnelForwarding device flags if they are
already what is needed; makes it possible to use tun/tap
networking as non-root user if device permissions and interface
flags are pre-established
* ssh(1), sshd(8): RekeyLimits could be exceeded by one packet.
bz#2521
* ssh(1): fix multiplexing master failure to notice client exit.
* ssh(1), ssh-agent(1): avoid fatal() for PKCS11 tokens that present
empty key IDs. bz#1773
* sshd(8): avoid printf of NULL argument. bz#2535
* ssh(1), sshd(8): allow RekeyLimits larger than 4GB. bz#2521
* ssh-keygen(1): sshd(8): fix several bugs in (unused) KRL signature
support.
* ssh(1), sshd(8): fix connections with peers that use the key
exchange guess feature of the protocol. bz#2515
* sshd(8): include remote port number in log messages. bz#2503
* ssh(1): don't try to load SSHv1 private key when compiled without
SSHv1 support. bz#2505
* ssh-agent(1), ssh(1): fix incorrect error messages during key
loading and signing errors. bz#2507
* ssh-keygen(1): don't leave empty temporary files when performing
known_hosts file edits when known_hosts doesn't exist.
* sshd(8): correct packet format for tcpip-forward replies for
requests that don't allocate a port bz#2509
* ssh(1), sshd(8): fix possible hang on closed output. bz#2469
* ssh(1): expand %i in ControlPath to UID. bz#2449
* ssh(1), sshd(8): fix return type of openssh_RSA_verify. bz#2460
* ssh(1), sshd(8): fix some option parsing memory leaks. bz#2182
* ssh(1): add a some debug output before DNS resolution; it's a
place where ssh could previously silently stall in cases of
unresponsive DNS servers. bz#2433
* ssh(1): remove spurious newline in visual hostkey. bz#2686
* ssh(1): fix printing (ssh -G ...) of HostKeyAlgorithms=+...
* ssh(1): fix expansion of HostkeyAlgorithms=+...
Documentation
-------------
* ssh_config(5), sshd_config(5): update default algorithm lists to
match current reality. bz#2527
* ssh(1): mention -Q key-plain and -Q key-cert query options.
bz#2455
* sshd_config(8): more clearly describe what AuthorizedKeysFile=none
does.
* ssh_config(5): better document ExitOnForwardFailure. bz#2444
* sshd(5): mention internal DH-GEX fallback groups in manual.
bz#2302
* sshd_config(5): better description for MaxSessions option.
bz#2531
Portability
-----------
* ssh(1), sftp-server(8), ssh-agent(1), sshd(8): Support Illumos/
Solaris fine-grained privileges. Including a pre-auth privsep
sandbox and several pledge() emulations. bz#2511
* Renovate redhat/openssh.spec, removing deprecated options and
syntax.
* configure: allow --without-ssl-engine with --without-openssl
* sshd(8): fix multiple authentication using S/Key. bz#2502
* sshd(8): read back from libcrypto RAND_* before dropping
privileges. Avoids sandboxing violations with BoringSSL.
* Fix name collision with system-provided glob(3) functions.
bz#2463
* Adapt Makefile to use ssh-keygen -A when generating host keys.
bz#2459
* configure: correct default value for --with-ssh1 bz#2457
* configure: better detection of _res symbol bz#2259
* support getrandom() syscall on Linux
Changelog
Copssh version 5.4.3 bundle contains 32/64-bit client/server installers containing OpenSSL 1.0.2f fixing security vulnerabilities CVE-2016-0701 (high) and CVE-2015-3197 (low). We have also updated Cygwin and GNU tools to their latest versions.
Changelog
Copssh version 5.4.2 bundle contains 32/64-bit client/server installers with OpenSSH 7.1p2 , fixing security vulnerabilities. Changes from 7.1.p1:
CVE-2016-0777 SECURITY: ssh(1): The OpenSSH client code between 5.4 and 7.1 contains experimental support for resuming SSH-connections (roaming).
The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys. The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers. MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the gobal ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line. This problem was reported by the Qualys Security Advisory team.
SECURITY: Fix an out of-bound read access in the packet handling code. Reported by Ben Hawkes.
PROTOCOL: Correctly interpret the 'first_kex_follows' option during the intial key exchange. Reported by Matt Johnston.
Further use of explicit_bzero has been added in various buffer handling code paths to guard against compilers aggressively doing dead-store removal.
Changelog
Copssh version 5.4.1 bundle contains 32/64-bit client/server installers with updated OpenSSL and Cygwin/GNU tools. OpenSSL 1.0.2e fixes 5 security vulnerabilities:
Moderate - BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
Moderate - Certificate verify crash with missing PSS parameter (CVE-2015-3194)
Moderate - X509_ATTRIBUTE memory leak (CVE-2015-3195)
Low - Race condition handling PSK identify hint (CVE-2015-3196)
Low - Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)
We have also updated Cygwin/GNU Tools to the latest stable versions. Enjoy!
Changelog
Copssh version 5.4.0 bundle contains 32/64-bit client/server installers with OpenSSH 7.1 , a bug fix release:
Security
sshd(8): OpenSSH 7.0 contained a logic error in PermitRootLogin=prohibit-password/without-password that could, depending on compile-time configuration, permit password authentication to root while preventing other forms of authentication. This problem was reported by Mantas Mikulenas.
Bugfixes
ssh(1), sshd(8): add compatibility workarounds for FuTTY
ssh(1), sshd(8): refine compatibility workarounds for WinSCP
Fix a number of memory faults (double-free, free of uninitialised memory, etc) in ssh(1) and ssh-keygen(1). Reported by Mateusz Kocielski.
Future deprecation notice from OpenSSH:
We plan on retiring more legacy cryptography in the next release including:
Refusing all RSA keys smaller than 1024 bits (the current minimum is 768 bits)
Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES.
MD5-based HMAC algorithms will be disabled by default.
This list reflects our current intentions, but please check the final release notes for OpenSSH 7.2 when it is released.
Changelog
Copssh version 5.3.0 bundle contains 32/64-bit client/server installers with OpenSSH 7.0 . Focus of this release is primarily to deprecate weak, legacy and/or unsafe cryptography:
Support for the legacy SSH version 1 protocol is disabled by default at compile time.
Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time. It may be re-enabled using the instructions at http://www.openssh.com/legacy.html
Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at http://www.openssh.com/legacy.html
Support for the legacy v00 cert format has been removed.
Security related fixes:
sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable. Local attackers may be able to write arbitrary messages to logged-in users, including terminal escape sequences. Reported by Nikolay Edigaryev.
sshd(8): Portable OpenSSH only: Fixed a privilege separation weakness related to PAM support. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate other users. Reported by Moritz Jodeit.
sshd(8): Portable OpenSSH only: Fixed a use-after-free bug related to PAM support that was reachable by attackers who could compromise the pre-authentication process for remote code execution. Also reported by Moritz Jodeit.
sshd(8): fix circumvention of MaxAuthTries using keyboard-interactive authentication. By specifying a long, repeating keyboard-interactive "devices" string, an attacker could request the same authentication method be tried thousands of times in a single pass. The LoginGraceTime timeout in sshd(8) and any authentication failure delays implemented by the authentication mechanism itself were still applied. Found by Kingcope.
Changelog
Copssh version 5.2.0 bundle contains 32/64-bit client/server installers with OpenSSH 6.9 and OpenSSL 1.0.2d binaries (CVE-2015-1793). As OpenSSH uses only the cryptoghraphic library part of OpenSSL, Copssh is not directly affected by this security advisory.
Changelog
Copssh version 5.1.1 is a maintenance release and contains the latest available versions of Cygwin (2.0.2) and related GNU tools.
Changelog
Copssh product version 5.1.0 comes with the latest available versions of OpenSSH (6.8 , a major release) and OpenSSL (1.0.2a addressing many security vulnerabilities). Daemon program sshd is also patched to avoid logout hang problem as described in our previous blog .
Free edition is updated with the latest available OpenSSL (1.0.2a) as well.
Changelog
Copssh version 5.0.4 comes with a custom patch addressing session hang problems during logout for domain users. Users experiencing the problem reported that they observe following lines in the event log:
error: chmod /dev/pty1 0666 failed: No such file or directory
error: chown /dev/pty1 0 0 failed: No such file or directory
As a result of that failure, you may observe multiple hanging sshd processes at the server side as well. Please upgrade if you experience those problems in your environment.
Contents of the custom patch:
--- sshpty.c 2014-05-21 09:06:47.000000000 +0200+++ sshpty.new.c 2015-03-06 17:26:49.125000000 +0100@@ -85,12 +85,7 @@ void pty_release(const char *tty) {-#ifndef __APPLE_PRIVPTY__- if (chown(tty, (uid_t) 0, (gid_t) 0) < 0)- error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno));- if (chmod(tty, (mode_t) 0666) < 0)- error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno));-#endif /* __APPLE_PRIVPTY__ */+ return; } /* Makes the tty the process's controlling tty and sets it to sane modes. */
Changelog
Copssh version 5.0.3 is a maintenance release coming with OpenSSL version 1.0.1k fixing some security vulnerabilities. Copssh is not affected by those vulnerabilities, as it uses OpenSSL for some cryptographical support only. Cygwin DLL and GNU tools are also upgraded to their latest availabel versions.
Changelog
Copssh version 5.0.2 is a maintenance release coming with OpenSSL version 1.0.1j fixing some security vulnerabilities including POODLE attack .
NB! Copssh is not affected by vulnerabilities mentioned above, as it uses OpenSSL for some cryptographical support only.
Changelog
Copssh version 5.0.1 is a maintenance release fixing two problems:
Home directory is not created during the user activation if not existed before - this bug was introduced in the product version of 5.0.0
Non-functioning session overview via status tab
Changelog
Copssh version 5.0.0 contains the latest available OpenSSH version 6.7 with many features and bug fixes . Please pay special attention to backward-incompatible changes like removing unsafe algorithms from the default set of ciphers/MACs and removing support for tcpwrappers.
We have also updated most of the GNU Tools and Cygwin to their latest available versions, including bash coming with a ShellShock immune version:
You can now specify user-specific advanced options in the Copssh Control Panel (available only for the product version!):
Changelog
Copssh version 4.9.3 comes with an updated Control Panel with following improvements:
It is now possible to instruct the Control panel not to convert user names to lowercase. If you add the parameter below to the bin/copsshcp.config file, no conversion will find place:
[Options]LowercaseUsername=0
The default behaviour is still conversion to lowercase.
A chrooted sftp environment allowing isolated directories (access type Sftp) was only supported if the default service account (SvcCOPSSH) is selected. It is now supported for all kinds of service accounts including domain users.
Copssh takes a service restart if a chrooted environment (access type Sftp) is specified during user activation, to avoid error messages about improper permissions on a chrooted directory.
Changelog
Copssh version 4.9.2 contains version 1.0.1h of OpenSSL addressing 6 security vulnerabilities announced recently .
The Secure Shell (SSH) is a different protocol from SSL or TLS. OpenSSH relies on the OpenSSL library for access to the cryptographic primitives it provides, not for the TLS or SSL implementations.
Copssh is not vulnerable to those flaws.
Changelog
Copssh 4.9.1 patch 1001 contains version 1.0.1h of OpenSSL addressing 7 security vulnerabilities announced recently . Even if most of the vulnerabilities affects the TLS implementation which are not used by Copssh, SSL/TLS MITM vulnerability (CVE-2014-0224) can affect ssl clients and servers.
Changelog
Copssh version 4.9.1 installers contain OpenSSL 1.0.1g fixing Heartbleed security vulnerability. Related US-CERT Alert is here .
OpenSSL Security Advisory [07 Apr 2014] - TLS heartbeat read overrun (CVE-2014-0160) A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org > and Bodo Moeller <bmoeller@acm.org > for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.
Copssh doesn't use TLS and is not vulnerable to a Heartbleed attack.
Changelog Copssh 4.9.0 contains OpenSSH 6.6p binaries.
Changes since OpenSSH 6.5
This is primarily a bugfix release.
Security :
* sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character.
New / changed features:
* ssh(1), sshd(8): this release removes the J-PAKE authentication code . This code was experimental, never enabled and had been unmaintained for some time.
* ssh(1): when processing Match blocks, skip 'exec' clauses other clauses predicates failed to match.
* ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied.
Bugfixes:
* ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692
* sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase.
* ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions.
* sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184
* ssh(1): avoid unnecessary hostname lookups when canonicalisation is disabled. bz#2205
* sshd(8): avoid sandbox violation crashes in GSSAPI code by caching the supported list of GSSAPI mechanism OIDs before entering the sandbox. bz#2107
* ssh(1): fix possible crashes in SOCKS4 parsing caused by assumption that the SOCKS username is nul-terminated.
* ssh(1): fix regression for UsePrivilegedPort=yes when BindAddress is not specified.
* ssh(1), sshd(8): fix memory leak in ECDSA signature verification.
* ssh(1): fix matching of 'Host' directives in ssh_config(5) files to be case-insensitive again (regression in 6.5).
Portable OpenSSH:
* sshd(8): don't fatal if the FreeBSD Capsicum is offered by the system headers and libc but is not supported by the kernel.
* Fix build using the HP-UX compiler.
Changelog
Both Copssh installer and Control Panel are updated to handle Ed25519 based keys ========================= Changes since OpenSSH 6.4 =========================
This is a feature-focused release.
New features:
* ssh(1), sshd(8): Add support for key exchange using elliptic-curve Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange method is the default when both the client and server support it.
* ssh(1), sshd(8): Add support for Ed25519 as a public key type. Ed25519 is a elliptic curve signature scheme that offers better security than ECDSA and DSA and good performance. It may be used for both user and host keys.
* Add a new private key format that uses a bcrypt KDF to better protect keys at rest. This format is used unconditionally for Ed25519 keys, but may be requested when generating or saving existing keys of other types via the -o ssh-keygen(1) option. We intend to make the new format the default in the near future. Details of the new format are in the PROTOCOL.key file.
* ssh(1), sshd(8): Add a new transport cipher "chacha20-poly1305@openssh.com " that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details are in the PROTOCOL.chacha20poly1305 file.
* ssh(1), sshd(8): Refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release.
* ssh(1), sshd(8): Refuse old proprietary clients and servers that use a weaker key exchange hash calculation.
* ssh(1): Increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by RFC4419.
* ssh(1), ssh-agent(1): Support pkcs#11 tokes that only provide X.509 certs instead of raw public keys (requested as bz#1908).
* ssh(1): Add a ssh_config(5) "Match" keyword that allows conditional configuration to be applied by matching on hostname, user and result of arbitrary commands.
* ssh(1): Add support for client-side hostname canonicalisation using a set of DNS suffixes and rules in ssh_config(5). This allows unqualified names to be canonicalised to fully-qualified domain names to eliminate ambiguity when looking up keys in known_hosts or checking host certificate names.
* sftp-server(8): Add the ability to whitelist and/or blacklist sftp protocol requests by name.
* sftp-server(8): Add a sftp "fsync@openssh.com " to support calling fsync(2) on an open file handle.
* sshd(8): Add a ssh_config(5) PermitTTY to disallow TTY allocation, mirroring the longstanding no-pty authorized_keys option.
* ssh(1): Add a ssh_config ProxyUseFDPass option that supports the use of ProxyCommands that establish a connection and then pass a connected file descriptor back to ssh(1). This allows the ProxyCommand to exit rather than staying around to transfer data.
Bugfixes:
* ssh(1), sshd(8): Fix potential stack exhaustion caused by nested certificates.
* ssh(1): bz#1211: make BindAddress work with UsePrivilegedPort.
* sftp(1): bz#2137: fix the progress meter for resumed transfer.
* ssh-add(1): bz#2187: do not request smartcard PIN when removing keys from ssh-agent.
* sshd(8): bz#2139: fix re-exec fallback when original sshd binary cannot be executed.
* ssh-keygen(1): Make relative-specified certificate expiry times relative to current time and not the validity start time.
* sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match block.
* sftp(1): bz#2129: symlinking a file would incorrectly canonicalise the target path.
* ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11 agent helper executable.
* sshd(8): Improve logging of sessions to include the user name, remote host and port, the session type (shell, command, etc.) and allocated TTY (if any).
* sshd(8): bz#1297: tell the client (via a debug message) when their preferred listen address has been overridden by the server's GatewayPorts setting.
* sshd(8): bz#2162: include report port in bad protocol banner message.
* sftp(1): bz#2163: fix memory leak in error path in do_readdir().
* sftp(1): bz#2171: don't leak file descriptor on error.
* sshd(8): Include the local address and port in "Connection from ..." message (only shown at loglevel>=verbose).
Portable OpenSSH:
* Please note that this is the last version of Portable OpenSSH that will support versions of OpenSSL prior to 0.9.6. Support (i.e. SSH_OLD_EVP) will be removed following the 6.5p1 release.
* Portable OpenSSH will attempt compile and link as a Position Independent Executable on Linux, OS X and OpenBSD on recent gcc-like compilers. Other platforms and older/other compilers may request this using the --with-pie configure flag.
* A number of other toolchain-related hardening options are used automatically if available, including -ftrapv to abort on signed integer overflow and options to write-protect dynamic linking information. The use of these options may be disabled using the --without-hardening configure flag.
* If the toolchain supports it, one of the -fstack-protector-strong, -fstack-protector-all or -fstack-protector compilation flag are used to add guards to mitigate attacks based on stack overflows. The use of these options may be disabled using the --without-stackprotect configure option.
* sshd(8): Add support for pre-authentication sandboxing using the Capsicum API introduced in FreeBSD 10.
* Switch to a ChaCha20-based arc4random() PRNG for platforms that do not provide their own.
* sshd(8): bz#2156: restore Linux oom_adj setting when handling SIGHUP to maintain behaviour over retart.
* sshd(8): bz#2032: use local username in krb5_kuserok check rather than full client name which may be of form user@REALM.
* ssh(1), sshd(8): Test for both the presence of ECC NID numbers in OpenSSL and that they actually work. Fedora (at least) has NID_secp521r1 that doesn't work.
* bz#2173: use pkg-config --libs to include correct -L location for libedit.
Changelog
Copssh 4.7.2 features a new Control Panel with the capability of configuring isolated SFTP home directories. It does this by using the OpenSSH ChrootDirectory directive. By setting proper file system permissions in addition, customers will now be able to setup more secure SFTP installations. This feature is available for 'Sftp' access type and the cuurent version assumes that SvcCOPSSH is used as a service account. However, there is a small workaround to handle other service accounts as well.
Changelog Copssh 4.7.1 has OpenSSL 1.0.1f containing security fixes against vulnerabilities CVE-2013-4353, CVE-2013-6450 and CVE-2013-6449:
CVE-2013-4353 A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. A malicious server could use this flaw to crash a connecting client. This issue only affected OpenSSL 1.0.1 versions. Reported by Anton Johansson.CVE-2013-6450 A flaw in DTLS handling can cause an application using OpenSSL and DTLS to crash. This is not a vulnerability for OpenSSL prior to 1.0.0. Reported by Dmitry Sobinov.CVE-2013-6449 A flaw in OpenSSL can cause an application using OpenSSL to crash when using TLS version 1.2. This issue only affected OpenSSL 1.0.1 versions. Reported by Ron Barber.
In addition, Cygwin and other tools are updated to their latest versions.
Existing customers can download the latest version from their customer pages at www.itefix.net
Changelog OpenSSH 6.4 fixes a security bug:
* sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv
Existing customers can download latest versions from their customer pages at www.itefix.net
Changelog Both 32-bit and 64-bit Copssh installers are updated with OpenSSH 6.3 and newer versions of Cygwin DLL and tools. OpenSSH 6.3 Change log
Existing customers can download latest versions from their customer pages at www.itefix.net
Changelog
Copssh is now delivered as a bundle containing installers for 32-bit (x86) and 64-bit (x64) architectures.
Existing customers can download latest versions from their customer pages at www.itefix.net
Changelog
Copssh version 4.5.0 contains OpenSSH 6.2 with following changes:
Features:
* ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in
SSH protocol 2. The new cipher is available as aes128-gcm@openssh.com
and aes256-gcm@openssh.com . It uses an identical packet format to the
AES-GCM mode specified in RFC 5647, but uses simpler and different
selection rules during key exchange.
* ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes
for SSH protocol 2. These modes alter the packet format and compute
the MAC over the packet length and encrypted packet rather than over
the plaintext data. These modes are considered more secure and are
used by default when available.
* ssh(1)/sshd(8): Added support for the UMAC-128 MAC as
"umac-128@openssh.com " and "umac-128-etm@openssh.com ". The latter
being an encrypt-then-mac mode.
* sshd(8): Added support for multiple required authentication in SSH
protocol 2 via an AuthenticationMethods option. This option lists
one or more comma-separated lists of authentication method names.
Successful completion of all the methods in any list is required for
authentication to complete. This allows, for example, requiring a
user having to authenticate via public key or GSSAPI before they
are offered password authentication.
* sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists
(KRLs), a compact binary format to represent lists of revoked keys
and certificates that take as little as one bit per certificate when
revoking by serial number. KRLs may be generated using ssh-keygen(1)
and are loaded into sshd(8) via the existing RevokedKeys sshd_config
option.
* ssh(1): IdentitiesOnly now applies to keys obtained from a
PKCS11Provider. This allows control of which keys are offered from
tokens using IdentityFile.
* sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local"
and "remote" in addition to its previous "yes"/"no" keywords to allow
the server to specify whether just local or remote TCP forwarding is
enabled.
* sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to
support fetching authorized_keys from a command in addition to (or
instead of) from the filesystem. The command is run under an account
specified by an AuthorizedKeysCommandUser sshd_config(5) option.
* sftp-server(8): Now supports a -d option to allow the starting
directory to be something other than the user's home directory.
* ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11
tokens using "ssh-keygen -lD pkcs11_provider".
* ssh(1): When SSH protocol 2 only is selected (the default), ssh(1)
now immediately sends its SSH protocol banner to the server without
waiting to receive the server's banner, saving time when connecting.
* ssh(1): Added ~v and ~V escape sequences to raise and lower the
logging level respectively.
* ssh(1): Made the escape command help (~?) context sensitive so that
only commands that will work in the current session are shown.
* ssh-keygen(1): When deleting host lines from known_hosts using
"ssh-keygen -R host", ssh-keygen(1) now prints details of which lines
were removed.
Bugfixes:
* ssh(1): Force a clean shutdown of ControlMaster client sessions when
the ~. escape sequence is used. This means that ~. should now work in
mux clients even if the server is no longer responding.
* ssh(1): Correctly detect errors during local TCP forward setup in
multiplexed clients. bz#2055
* ssh-add(1): Made deleting explicit keys "ssh-add -d" symmetric with
adding keys with respect to certificates. It now tries to delete the
corresponding certificate and respects the -k option to allow deleting
of the key only.
* sftp(1): Fix a number of parsing and command-editing bugs, including
bz#1956
* ssh(1): When muxmaster is run with -N, ensured that it shuts down
gracefully when a client sends it "-O stop" rather than hanging around.
bz#1985
* ssh-keygen(1): When screening moduli candidates, append to the file
rather than overwriting to allow resumption. bz#1957
* ssh(1): Record "Received disconnect" messages at ERROR rather than
INFO priority. bz#2057.
* ssh(1): Loudly warn if explicitly-provided private key is unreadable.
bz#1981
Portable OpenSSH:
* sshd(8): The Linux seccomp-filter sandbox is now supported on ARM
platforms where the kernel supports it.
* sshd(8): The seccomp-filter sandbox will not be enabled if the system
headers support it at compile time, regardless of whether it can be
enabled then. If the run-time system does not support seccomp-filter,
sshd will fall back to the rlimit pseudo-sandbox.
* ssh(1): Don't link in the Kerberos libraries. They aren't necessary
on the client, just on sshd(8). bz#2072
* Fix GSSAPI linking on Solaris, which uses a differently-named GSSAPI
library. bz#2073
* Fix compilation on systems with openssl-1.0.0-fips.
* Fix a number of errors in the RPM spec files.
Changelog
Copssh version 4.4.3 is an update with substantial speed improvements in control panel. Following bugs are also fixed:
PKA (Public Key Authentication Wizard) doesn't recognize user customizable home directories properly.
Control Panel doesn't update firewall settings upon port change.
Time window for event log doesn't work as expected.
Existing customers can download the latest version from their customer page at www.itefix.net
Changelog
Version 4.4.1 has an user activation wizard allowing users to specify home directories of their choice.
In addition, there is no need to specify domain names during login any longer. You need only to specify user names in lowercase . All activated users gets also Windows user right 'Logon locally' automatically assigned (See FAQ I can't login as an ordinary user ! )
Changelog Copssh version 1.4.6 includes openssh 5.1 , openssl 0.9.8h and cygwin 1.5.25-15 . Upgrade is strongly recommended as OpenSSL 0.9.8h addresses two moderate security vulnerabilities . In addition, OpenSSH 5.1 has many new features and bug fixes. You will also notice that many core tools in the package are updated with the most recent versions.
Hiding the service account from welcome screen is an another convenient feature for users of XP/Vista. The copssh uninstaller is now more user friendly as it gives a warning about the consequences of uninstalling copssh with user created symbolic links/shortcuts intact.
You may visit File Release Notes and changelog at Sourceforge for more detailed information.