=========================
This is a major release, containing a number of new features as
well as a large internal re-factoring.
Potentially-incompatible changes
--------------------------------
* sshd(8): UseDNS now defaults to 'no'. Configurations that match
against the client host name (via sshd_config or authorized_keys)
may need to re-enable it or convert to matching against addresses.
New Features
------------
* Much of OpenSSH's internal code has been re-factored to be more
library-like. These changes are mostly not user-visible, but
have greatly improved OpenSSH's testability and internal layout.
* Add FingerprintHash option to ssh(1) and sshd(8), and equivalent
command-line flags to the other tools to control algorithm used
for key fingerprints. The default changes from MD5 to SHA256 and
format from hex to base64.
Fingerprints now have the hash algorithm prepended. An example of
the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE
Please note that visual host keys will also be different.
* ssh(1), sshd(8): Experimental host key rotation support. Add a
protocol extension for a server to inform a client of all its
available host keys after authentication has completed. The client
may record the keys in known_hosts, allowing it to upgrade to better
host key algorithms and a server to gracefully rotate its keys.
The client side of this is controlled by a UpdateHostkeys config
option (default off).
* ssh(1): Add a ssh_config HostbasedKeyType option to control which
host public key types are tried during host-based authentication.
* ssh(1), sshd(8): fix connection-killing host key mismatch errors
when sshd offers multiple ECDSA keys of different lengths.
* ssh(1): when host name canonicalisation is enabled, try to
parse host names as addresses before looking them up for
canonicalisation. fixes bz#2074 and avoiding needless DNS
lookups in some cases.
* ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer
require OpenSSH to be compiled with OpenSSL support.
* ssh(1), ssh-keysign(8): Make ed25519 keys work for host based
authentication.
* sshd(8): SSH protocol v.1 workaround for the Meyer, et al,
Bleichenbacher Side Channel Attack. Fake up a bignum key before
RSA decryption.
* sshd(8): Remember which public keys have been used for
authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require
that users authenticate using two _different_ public keys.
* sshd(8): add sshd_config HostbasedAcceptedKeyTypes and
PubkeyAcceptedKeyTypes options to allow sshd to control what
public key types will be accepted. Currently defaults to all.
* sshd(8): Don't count partial authentication success as a failure
against MaxAuthTries.
* ssh(1): Add RevokedHostKeys option for the client to allow
text-file or KRL-based revocation of host keys.
* ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by
serial number or key ID without scoping to a particular CA.
* ssh(1): Add a "Match canonical" criteria that allows ssh_config
Match blocks to trigger only in the second config pass.
* ssh(1): Add a -G option to ssh that causes it to parse its
configuration and dump the result to stdout, similar to "sshd -T".
* ssh(1): Allow Match criteria to be negated. E.g. "Match !host".
* The regression test suite has been extended to cover more OpenSSH
features. The unit tests have been expanded and now cover key
exchange.
Bugfixes
* ssh-keyscan(1): ssh-keyscan has been made much more robust again
servers that hang or violate the SSH protocol.
* ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were
being lost as comment fields.
* ssh(1): Allow ssh_config Port options set in the second config
parse phase to be applied (they were being ignored). bz#2286
* ssh(1): Tweak config re-parsing with host canonicalisation - make
the second pass through the config files always run when host name
canonicalisation is enabled (and not whenever the host name
changes) bz#2267
* ssh(1): Fix passing of wildcard forward bind addresses when
connection multiplexing is in use; bz#2324;
* ssh-keygen(1): Fix broken private key conversion from non-OpenSSH
formats; bz#2345.
* ssh-keygen(1): Fix KRL generation bug when multiple CAs are in
use.
* Various fixes to manual pages: bz#2288, bz#2316, bz#2273
Portable OpenSSH
* Support --without-openssl at configure time
Disables and removes dependency on OpenSSL. Many features,
including SSH protocol 1 are not supported and the set of crypto
options is greatly restricted. This will only work on systems
with native arc4random or /dev/urandom.
Considered highly experimental for now.
* Support --without-ssh1 option at configure time
Allows disabling support for SSH protocol 1.
* sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296
* Allow custom service name for sshd on Cygwin. Permits the use of
multiple sshd running with different service names.
Checksums:
==========
- SHA1 (openssh-6.8.tar.gz) = 99903c6ca76e0a2c044711017f81127e12459d37
- SHA256 (openssh-6.8.tar.gz) = N1uzVarFbrm2CzAwuDu3sRoszmqpK+5phAChP/QNyuw=
- SHA1 (openssh-6.8p1.tar.gz) = cdbc51e46a902b30d263b05fdc71340920e91c92
- SHA256 (openssh-6.8p1.tar.gz) = P/ZM5z7hJEgLW/dnuYMNfTwDu8tqvnFrePAZLDfOFg4=
Please note that the PGP key used to sign releases was recently rotated.
The new key has been signed by the old key to provide continuity. It is
available from the mirror sites as RELEASE_KEY.asc.
Reporting Bugs:
===============
- Please read http://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.
The vulnerabilities listed below were previously fixed by patches
supplied by the OpenSSL project.
Thus, this import is not about vulnerabilities, but about the change
in source style OpenSSL applied before 1.0.1m (as well as small fixes
not listed in the changelog that make us have a 'proper' 1.0.1m).
Upstream Changelog:
Changes between 1.0.1l and 1.0.1m [19 Mar 2015]
*) Segmentation fault in ASN1_TYPE_cmp fix
The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
certificate signature algorithm consistency this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.
(CVE-2015-0286)
[Stephen Henson]
*) ASN.1 structure reuse memory corruption fix
Reusing a structure in ASN.1 parsing may allow an attacker to cause
memory corruption via an invalid write. Such reuse is and has been
strongly discouraged and is believed to be rare.
Applications that parse structures containing CHOICE or ANY DEFINED BY
components may be affected. Certificate parsing (d2i_X509 and related
functions) are however not affected. OpenSSL clients and servers are
not affected.
(CVE-2015-0287)
[Stephen Henson]
*) PKCS7 NULL pointer dereferences fix
The PKCS#7 parsing code does not handle missing outer ContentInfo
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
missing content and trigger a NULL pointer dereference on parsing.
Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
otherwise parse PKCS#7 structures from untrusted sources are
affected. OpenSSL clients and servers are not affected.
This issue was reported to OpenSSL by Michal Zalewski (Google).
(CVE-2015-0289)
[Emilia Käsper]
*) DoS via reachable assert in SSLv2 servers fix
A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
servers that both support SSLv2 and enable export cipher suites by sending
a specially crafted SSLv2 CLIENT-MASTER-KEY message.
This issue was discovered by Sean Burford (Google) and Emilia Käsper
(OpenSSL development team).
(CVE-2015-0293)
[Emilia Käsper]
*) Use After Free following d2i_ECPrivatekey error fix
A malformed EC private key file consumed via the d2i_ECPrivateKey function
could cause a use after free condition. This, in turn, could cause a double
free in several private key parsing functions (such as d2i_PrivateKey
or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
for applications that receive EC private keys from untrusted
sources. This scenario is considered rare.
This issue was discovered by the BoringSSL project and fixed in their
commit 517073cd4b.
(CVE-2015-0209)
[Matt Caswell]
*) X509_to_X509_REQ NULL pointer deref fix
The function X509_to_X509_REQ will crash with a NULL pointer dereference if
the certificate key is invalid. This function is rarely used in practice.
This issue was discovered by Brian Carpenter.
(CVE-2015-0288)
[Stephen Henson]
*) Removed the export ciphers from the DEFAULT ciphers
[Kurt Roeckx]
Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
*) Build fixes for the Windows and OpenVMS platforms
[Matt Caswell and Richard Levitte]
lines are changed into either #define SOMETHING or #undef SOMETHING,
but in our in-tree build it is installed verbatim - so comment out all
#undef parts, to allow our makefile fragments to freely -DSOMETHING
and not have it silently canceld here.
to NetBSD base:
OpenSSL Security Advisory [19 Mar 2015]
=======================================
Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
============================================================================
Severity: High
This security issue was previously announced by the OpenSSL project and
classified as "low" severity. This severity rating has now been changed to
"high".
This was classified low because it was originally thought that server RSA
export ciphersuite support was rare: a client was only vulnerable to a MITM
attack against a server which supports an RSA export ciphersuite. Recent
studies have shown that RSA export ciphersuites support is far more common.
This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
** issue already committed see last release **
OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team. It was previously announced in the OpenSSL
security advisory on 8th January 2015.
Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
===================================================
Severity: Moderate
The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
certificate signature algorithm consistency this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2a
commit 1b8ac2b07d02207f2b88e0b009b0bff4ef7eda96
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
commit ee5a1253285e5c9f406c8b57b0686319b70c07d8
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
commit 1e3ca524cb38ec92deea37629718e98aba43bc5d
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
commit 7058bd1712828a78d34457b1cfc32bdc1e6d3d33
This issue was discovered and fixed by Stephen Henson of the OpenSSL
development team.
ASN.1 structure reuse memory corruption (CVE-2015-0287)
=======================================================
Severity: Moderate
Reusing a structure in ASN.1 parsing may allow an attacker to cause
memory corruption via an invalid write. Such reuse is and has been
strongly discouraged and is believed to be rare.
Applications that parse structures containing CHOICE or ANY DEFINED BY
components may be affected. Certificate parsing (d2i_X509 and related
functions) are however not affected. OpenSSL clients and servers are
not affected.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2a
commit 0ca8edbe6ec402e39c9e095f8ae11dba8fa93fc1
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
commit a9f34a7aac5fd89f33a34fb71e954b85fbf35875
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
commit d96692c933fe02829c3e922bf7f239e0bd003759
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
commit 5722767d5dc1a3b5505058fe27877fc993fe9a5a
This issue was discovered by Emilia Käsper and a fix developed by
Stephen Henson of the OpenSSL development team.
PKCS7 NULL pointer dereferences (CVE-2015-0289)
===============================================
Severity: Moderate
The PKCS#7 parsing code does not handle missing outer ContentInfo correctly.
An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
missing content and trigger a NULL pointer dereference on parsing.
Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
otherwise parse PKCS#7 structures from untrusted sources are
affected. OpenSSL clients and servers are not affected.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2a
commit e0d6a791c53b64da64277c5565eb89b1cb149fc3
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
commit d3d52c73544bba800c2a8f5ef3376358158cf2ca
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
commit 1f858109d0556b5864bb6a0aa3e2d177b1cc4552
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
commit f20caf7f66cb1eb9ba9562e6097bc7b64d207cb9
This issue was reported to OpenSSL on February 16th 2015 by Michal
Zalewski (Google) and a fix developed by Emilia Käsper of the OpenSSL
development team.
Base64 decode (CVE-2015-0292)
=============================
Severity: Moderate
A vulnerability existed in previous versions of OpenSSL related to the
processing of base64 encoded data. Any code path that reads base64 data from an
untrusted source could be affected (such as the PEM processing routines).
Maliciously crafted base 64 data could trigger a segmenation fault or memory
corruption. This was addressed in previous versions of OpenSSL but has not been
included in any security advisory until now.
This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 0.9.8 users should upgrade to 0.9.8za.
The fix for this issue can be identified by commits d0666f289a (1.0.1),
84fe686173 (1.0.0) and 9febee0272 (0.9.8). This issue was originally reported by
Robert Dugal and subsequently by David Ramos.
DoS via reachable assert in SSLv2 servers (CVE-2015-0293)
=========================================================
Severity: Moderate
A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
servers that both support SSLv2 and enable export cipher suites by sending
a specially crafted SSLv2 CLIENT-MASTER-KEY message.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2a
commit b29d57f20d4821a9d3f4e19673a89615e4c6fcf0
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
commit a40c1bcb8c37fbad24d8f28f0fb0204d76f0fee2
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
commit ee4435e5b587879e7bd66df10d4d9ec274e2b163
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
commit ab646ee5a6a7b8cace425a617a053ad6d7977086
This issue was discovered by Sean Burford (Google) and Emilia Käsper
(OpenSSL development team) in March 2015 and the fix was developed by
Emilia Käsper.
Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
===============================================================
Severity: Low
A malformed EC private key file consumed via the d2i_ECPrivateKey function could
cause a use after free condition. This, in turn, could cause a double
free in several private key parsing functions (such as d2i_PrivateKey
or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
for applications that receive EC private keys from untrusted
sources. This scenario is considered rare.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.
** issue already committed **
OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
1b4a8df38f
This issue was discovered by the BoringSSL project and fixed in their commit
517073cd4b. The OpenSSL fix was developed by Matt Caswell of the OpenSSL
development team.
X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)
===================================================
Severity: Low
The function X509_to_X509_REQ will crash with a NULL pointer dereference if
the certificate key is invalid. This function is rarely used in practice.
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.
** issue already committed **
OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=28a00bcd8e318da18031b2ac8778c64147cd54f9
This issue was discovered by Brian Carpenter and a fix developed by Stephen
Henson of the OpenSSL development team.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv_20150319.txt
Note: the online version of the advisory may be updated with additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
