OpenBSD Journal

OpenSSH 5.0 released

Contributed by jj on from the 5-ants-are-more-than-4.9-elephants. dept.

OpenSSH 5.0 has just been released. It will be available from the mirrors listed at www.openssh.com shortly.
The OpenBSD errata for the issue is here.
We apologise for any inconvenience resulting from this release being made so shortly after 4.9. Unfortunately we only learned of the below security issue from the public CVE report. The Debian OpenSSH maintainers responsible for handling the initial report of this bug failed to report it via either the private OpenSSH security contact list (openssh@openssh.com) or the portable OpenSSH Bugzilla (http://bugzilla.mindrot.org/).

We ask anyone wishing to report security bugs in OpenSSH to please use the openssh@openssh.com contact and to practice responsible disclosure.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots and purchased T-shirts or posters.

T-shirt, poster and CD sales directly support the project. Pictures and more information can be found at:
        http://www.openbsd.org/tshirts.html and
	http://www.openbsd.org/orders.html

For international orders use https.openbsd.org/cgi-bin/order
and for European orders, use https.openbsd.org/cgi-bin/order.eu

Changes since OpenSSH 4.9:
============================

Security:

 * CVE-2008-1483: Avoid possible hijacking of X11-forwarded connections
   by refusing to listen on a port unless all address families bind
   successfully.

Checksums:
==========

 - SHA1 (openssh-5.0.tar.gz) = 729fb3168edf6a68408223b5ed82e59d13b57c47
 - SHA1 (openssh-5.0p1.tar.gz) = 121cea3a730c0b0353334b6f46f438de30ab4928

Reporting Bugs:
===============

- please read http://www.openssh.com/report.html
  and http://bugzilla.mindrot.org/

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.

(Comments are closed)


Comments
  1. Comments
    1. By Anonymous Coward (204.108.8.5) on

      > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011
      > Message #15: Theo was notified on February 3rd.

      Funny, I don't see him listed:
      http://www.openssh.com/report.html

      Comments
      1. By Anonymous Coward (89.191.97.92) on

        > Funny, I don't see him listed:
        > http://www.openssh.com/report.html

        That page doesn't have security/errata anyway.
        I'm pretty sure theo *again* downplayed this flaw and didn't bothered...

        Comments
        1. By Brad (2001:470:8802:3:216:41ff:fe17:6933) brad at comstyle dot com on

          > > Funny, I don't see him listed:
          > > http://www.openssh.com/report.html
          >
          > That page doesn't have security/errata anyway.
          > I'm pretty sure theo *again* downplayed this flaw and didn't bothered...

          and I'm pretty sure you're a clueless asshole nikns.

          Comments
          1. By Anonymous Coward (68.94.4.116) on

            > > > Funny, I don't see him listed:
            > > > http://www.openssh.com/report.html
            > >
            > > That page doesn't have security/errata anyway.
            > > I'm pretty sure theo *again* downplayed this flaw and didn't bothered...
            >
            > and I'm pretty sure you're a clueless asshole nikns.

            It's a open secret sometimes ignores hints...
            Or did you patched the Kerberos things Brad? I saw no patches yet..

            So don't start talking bullshit. It's a open secret Theo ignores peopl he dislikes for his own reasons. No matter if they talk about facts or not.

            Comments
            1. By Brad (2001:470:8802:3:216:41ff:fe17:6933) brad at comstyle dot com on

              > Or did you patched the Kerberos things Brad? I saw no patches yet..

              Provide details and I might take you seriously.

          2. By nikns (89.191.97.92) on

            > and I'm pretty sure you're a clueless asshole nikns.

            Provide details and I might take you seriously.

            Hey BRAD, how nice is THAT?

            Comments
            1. By Brad (2001:470:8802:3:216:41ff:fe17:6933) brad at comstyle dot com on

              > > and I'm pretty sure you're a clueless asshole nikns.
              >
              > Provide details and I might take you seriously.
              >
              > Hey BRAD, how nice is THAT?

              You're just proving my point.

        2. By Damien Miller (djm) on http://www.mindrot.org/~djm/

          > > Funny, I don't see him listed:
          > > http://www.openssh.com/report.html
          >
          > That page doesn't have security/errata anyway.

          WTF? That page says:

          openssh@openssh.com. This is a private list read only by the OpenSSH developers.
          Appropriate for: reports of problems with OpenBSD's OpenSSH,
          reports of security problems on any platform.

          It might be too complex for you, but we hope that the people responsible for the security of a distribution can take a few moments to read our pages.

          > I'm pretty sure theo *again* downplayed this flaw and didn't bothered...

          You clearly have no idea what you are talking about.

          Comments
          1. By nikns (89.191.97.92) on

            > That page doesn't have security/errata anyway.
            >
            > WTF? That page says:

            I said, that there is no openSSH errata on openssh.com.
            "patches and notes regarding OpenSSH" gets redirected to openBSD errata.
            Not a good source to find security flaws related to openSSH.

            >> I'm pretty sure theo *again* downplayed this flaw and didn't bothered...
            >
            > You clearly have no idea what you are talking about.

            To name you few, I'm talking about PRNG weakness, about second remote root in openBSD, about systrace, about securelevels...

            Comments
            1. By Damien Miller (djm) on http://www.mindrot.org/~djm/

              > I said, that there is no openSSH errata on openssh.com.
              > "patches and notes regarding OpenSSH" gets redirected to openBSD errata.
              > Not a good source to find security flaws related to openSSH.

              WTF does that have to do with reporting bugs? (you made this argument, not me).

              > > You clearly have no idea what you are talking about.
              >
              > To name you few, I'm talking about PRNG weakness, about second
              > remote root in openBSD, about systrace, about securelevels...

              I'm not sure what point you are trying to make, and I don't think you understand most of the bugs you are referring to. OpenSSH clearly mentions every security bug in our release notes, so I don't think any accusations of "downplaying" are justified.

              Comments
              1. By Anonymous Coward (89.240.227.159) on

                > I'm not sure what point you are trying to make, and I don't think you understand most of the bugs you are referring to. OpenSSH clearly mentions every security bug in our release notes, so I don't think any accusations of "downplaying" are justified.

                I'm guessing the person who reported it to deraadt@openbsd.org was following the instructions on the OpenBSD site, which say that's the correct way of reporting security issues in OpenBSD.

                Comments
                1. By Brad (2001:470:8802:3:216:41ff:fe17:6933) brad at comstyle dot com on

                  > I'm guessing the person who reported it to deraadt@openbsd.org was following the instructions on the OpenBSD site, which say that's the correct way of reporting security issues in OpenBSD.

                  So again it comes back to them not reporting the issue properly.

            2. By Brad (2001:470:8802:3:216:41ff:fe17:6933) brad at comstyle dot com on

              > > You clearly have no idea what you are talking about.
              >
              > To name you few, I'm talking about PRNG weakness, about second remote root in openBSD, about systrace, about securelevels...

              This just proves that you have no idea what you are talking about.

    2. By Brad (2001:470:8802:3:216:41ff:fe17:6933) brad at comstyle dot com on

      > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011
      > Message #15: Theo was notified on February 3rd.

      Notifying the wrong person never mind when he was out of the
      country and not near a computer for most of the month means
      that the right people are not aware of the issue.

    3. By Damien Miller (djm) on http://www.mindrot.org/~djm/

      > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011
      > Message #15: Theo was notified on February 3rd.

      We maintain a group contact list because individual developers are sometimes unreachable (yes, even Theo takes holidays). Debian did not use it and, worse, never bothered to confirm before they went ahead and released.

    4. By Anonymous Coward (129.128.11.43) on

      > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011
      > Message #15: Theo was notified on February 3rd.

      Theo I beleive, was in New Zealand hiking on Feb 3 - so there's no
      reason to expect he'd even notice.

      Ever wonder why there is a page that says "this is how to report abug"
      that isn't "just mail theo". Theo isn't supposed to receive those
      reports in private mail.

  2. By Anonymous Coward (58.63.244.63) on

    Will 5.0 get backported to 4.3/4.2?

    It's a security release! :-)


    Also the earlier rlease simply was "wrong". 4.8 for oBSD and 4.9 for the rest of the world... I hope this releasing twister is gone now.
    Otherwise we risk outperforming Linux if it deals with releasing patches :-) :)

    Thanks a lot for OpenSSH and the chroot-sftp! :)

    Comments
    1. By Anonymous Coward (82.245.140.102) on

      > Will 5.0 get backported to 4.3/4.2?

      It is _already_ backported in cvs.

      > Also the earlier rlease simply was "wrong". 4.8 for oBSD and 4.9 for the rest of the world... I hope this releasing twister is gone now.

      What's wrong here ? OpenSSH-portable is different from the OpenSSH version shipped with OpenBSD.

      Comments
      1. By Anonymous Coward (217.114.211.20) on

        > > Will 5.0 get backported to 4.3/4.2?
        >
        > It is _already_ backported in cvs.
        >
        > > Also the earlier rlease simply was "wrong". 4.8 for oBSD and 4.9 for the rest of the world... I hope this releasing twister is gone now.
        >
        > What's wrong here ? OpenSSH-portable is different from the OpenSSH version shipped with OpenBSD.

        Still this could lead to confusion.
        Most people take version numbers as hint to propably update a Software.

        If the versions are similiar why did the portabl-Version got 4.9.
        That's dumb.. it worked all the years before that a "p" was added to the name...

        Comments
        1. By D. Adam Karim (archite) on

          > If the versions are similiar why did the portabl-Version got 4.9.
          > That's dumb.. it worked all the years before that a "p" was added to the name...


          Maybe because it confused people into thinking it was a patch version?

          Comments
          1. By Anonymous Coward (68.62.149.244) on

            > > If the versions are similiar why did the portabl-Version got 4.9.
            > > That's dumb.. it worked all the years before that a "p" was added to the name...
            >
            >
            > Maybe because it confused people into thinking it was a patch version?

            Well, it *is* a patched version. It's patched for portability.

            Comments
            1. By D. Adam Karim (archite) on

              > Well, it *is* a patched version. It's patched for portability.

              Let me clarify a bit further: it made people assume that the not portable version was insecure compared to the portable version.

              Comments
              1. By Anonymous Coward (87.106.188.238) on

                > > Well, it *is* a patched version. It's patched for portability.
                >
                > Let me clarify a bit further: it made people assume that the not portable version was insecure compared to the portable version.

                Well an a 4.9portable didn't do the job? So lets introduce OpenBSD 5.1 for sparc, 5.2 for i386 and so on....

                It still doesn't make sense nor does look clever. I think this step was not a good one and should get removed. Not modifying the version number would have been the better way.

                Add a "4.9-portable" or so to it to clarify it. And if people where SO DUMB during the ages of time: Why do yous tart to care now? Was the *.*p "new"? Now it wasn't. :-p


                Now you risk that new OpenBSDs get installes and during a DUMB banner check (yeah such systms exist) they get declared as obsulate because the SSH IS OUTDATED because other OSs run 5.0.. a PRETTY clever move...

                And don't say people don't do it.. the majority is NO "guy who cares about the details"-type of administrator or coder or whatever.

                That is my point of view.

    2. By Mark Peloquin (incripshin) markpeloquin@gmail.com on

      > Will 5.0 get backported to 4.3/4.2?
      >
      > It's a security release! :-)
      >
      >
      > Also the earlier rlease simply was "wrong". 4.8 for oBSD and 4.9 for the rest of the world... I hope this releasing twister is gone now.
      > Otherwise we risk outperforming Linux if it deals with releasing patches :-) :)
      >
      > Thanks a lot for OpenSSH and the chroot-sftp! :)

      I hope I can try to clear it up. 4.8 was an internal release. I think it may only have been available in OpenBSD-current and OpenBSD-4.3. They gave it a separate version number so that the new OpenBSD release would have all the newest changes, but those changes didn't really constitute a whole new version. It is not even available from openssh.org for OpenBSD users:
      http://openssh.org/openbsd.html

      4.9 and 5.0 are for everybody, OpenBSD *and* the rest of the world. The p1 suffix on the version number indicates that it is a portable release.

      Here's the openssh portability changelog. You can find where OpenSSH-4.8 came into being on 20080304 (text is 'crank version'):
      ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog

      I do agree with you, though, it is kind of a mess. What they called 4.8 really should have been called 4.7.1, because it isn't the same kind of release. And I don't know why the current release is 5.0 and not 4.10.

      Comments
      1. By Anonymous Coward (219.90.188.206) on

        >And I don't know why the current release is 5.0 and not 4.10.

        I never understood versioning of software in this manner. If I add 0.1 to 4.9 I get 5.0. Furthermore, 4.10 looks confusingly like 4.1.

        Comments
        1. By Chris (24.76.123.149) on

          > >And I don't know why the current release is 5.0 and not 4.10.
          >
          > I never understood versioning of software in this manner. If I add 0.1 to 4.9 I get 5.0. Furthermore, 4.10 looks confusingly like 4.1.

          A . doesn't always mean a numerical decimal number. Many textbooks use the . in a non-decimal fashion. I have trouble seeing how that can actually be confusing, unless you only read the first three characters and ignore the 4th?

          Comments
          1. By Huey Dewie Decimal (2001:388:f000::8bb) on

            > > >And I don't know why the current release is 5.0 and not 4.10.
            > >
            > > I never understood versioning of software in this manner. If I add 0.1 to 4.9 I get 5.0. Furthermore, 4.10 looks confusingly like 4.1.
            >
            > A . doesn't always mean a numerical decimal number. Many textbooks use the . in a non-decimal fashion. I have trouble seeing how that can actually be confusing, unless you only read the first three characters and ignore the 4th?

            It's dumb because you have to be told exactly how any particular scheme works if it is not patently obvious.

            Approaching a sequence like 4.8, 4.9, 4.10 looks just like somebody forgot to drop the trailing zero.

            Furthermore it does not sort meaningfully. Try having a directory for each in a bunch of versions. Then ls -1 might give:
            4.0
            4.1
            4.10
            4.11
            4.2
            etc.

            That's crap collation for intuitive interpretation.

            I'd be happy if versions just used integers, given that hardly anyone bothers with major.minor versioning now. OTOH OpenBSD started with a .1 version increment scheme so it's consistent to stick with that.

  3. By DoDo (217.19.26.102) on

    Why is it 5.0? and not 4.9.1????????

    it's a patch up of 4.9 and not a new featured version release....

    Comments
    1. By Bob Beck (129.128.11.43) beck@openbsd.org on

      > Why is it 5.0? and not 4.9.1????????
      >
      > it's a patch up of 4.9 and not a new featured version release....
      >

      Because it's not 4.A

      Because release numbering pedantry is retarded.

      Comments
      1. By Anonymous Coward (195.141.204.174) on

        > > Why is it 5.0? and not 4.9.1????????
        > >
        > > it's a patch up of 4.9 and not a new featured version release....
        > >
        >
        > Because it's not 4.A
        >
        > Because release numbering pedantry is retarded.


        Does "our" Version includes everything (features) of the "for everybody else"-Version? Or are there further differences?

        What Version will I get if I update systems via CVS to 4.3?
        OpenSSH 4.8?!

        Why did OpenSSH 4.8 got patches wich leaded in OpenSSH 4.9 to the conclusion to release OpenSSH 5.0?!

        So how "patched" is 4.8 right now compared to the others?!
        For portable you bumped the Version number but for our version you did not.

        Please clarify this. Thanks!

        Comments
        1. By sthen@ (85.158.45.32) on

          > Does "our" Version includes everything (features) of the "for everybody else"-Version? Or are there further differences?

          Yes, OpenBSD doesn't do PAM, so the OpenBSD version of OpenSSH doesn't need to support it.

          > What Version will I get if I update systems via CVS to 4.3?
          > OpenSSH 4.8?!

          Yes of course, that was the version that was current when 4.3 was tagged.

          http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/version.h

          And as you'll see on the errata page (and the front page of undeadly), patches are available.

          > Why did OpenSSH 4.8 got patches wich leaded in OpenSSH 4.9 to the conclusion to release OpenSSH 5.0?!

          I really can't parse this sentence.

          > So how "patched" is 4.8 right now compared to the others?!

          And this doesn't entirely make sense, 4.8 is 4.8, if you patch it, it's not the same thing as 4.8 any more.

          > For portable you bumped the Version number but for our version you did not.

          On current:

          $ ssh -V
          OpenSSH_5.0, OpenSSL 0.9.7j 04 May 2006

          Looks bumped to me.

  4. By Daniel Ouellet (66.63.10.82) daniel@presscom.net on

    I am not sure I understand here.

    Yes the communication wasn't done right. Theo was out of the country and the notice should have been send to the proper list as explain before here.

    However, looking into the patch and the errata release is the exact same as RedHat had done 2 years and 8 months ago here:

    http://cvs.fedora.redhat.com/viewcvs/rpms/openssh/devel/openssh-3.9p1-skip-used.patch?rev=1.1&view=markup

    So, looks like many are blaming Debian, that may be they may have miss a little bit in proper open project communications, may be.

    I for one sure question why in hell RedHat that did this long ago, didn't judge decent to even notify the OpenSSH maintainer for that in the first place.

    I guess they still want to take advantage of open source make money from it and screw even one else in the process!

    If you want to flame someone, direct your flame at the right place please!

    I find it very disturbing to see company that maid their growth and success out of others work and can't even have the decency to return the favor when it comes to security issue like this.

    I wouldn't be so fast as to blame Debian here. They could have done it better yes, but they were not the one that miss big time!

    The record show it anyway.

    Best,

    Daniel

  5. By Richard Toohey (121.72.21.49) richardtoohey@hotmail.com on

    Not intending to stir (as a purchaser of said CDs, T-shirts, and posters), just seeking clarification/verification.

    Guess in future the section in the main body that reads "especially those who ... and purchased T-shirts or posters.

    T-shirt, poster and CD sales directly support the project."

    Will be changed, as per Theo's change:

    http://marc.info/?l=openbsd-cvs&m=120735755821256&w=2

    "The OpenBSD project does not receive any proceeds from tshirt, posters, doll or book sales."

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]