Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

OpenSSH Releases Version 5.0

kdawson posted more than 6 years ago | from the latest-bits dept.

Encryption 41

os2man lets us know that OpenSSH version 5.0 has been released. The mirrors are linked from the top page. "OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the ssh protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security. OpenSSH is available for almost any Operating System."

cancel ×

41 comments

Stay Classy (2, Interesting)

scabies (957018) | more than 6 years ago | (#22963540)

Nice how the release note is used to complain about Debian maintainers specifically.

Re:Stay Classy (3, Insightful)

Jeremiah Cornelius (137) | more than 6 years ago | (#22963556)

Yeah. Some content in this front-page article - beyond the version number - would have been helpful.

Re:Stay Classy (1)

Noryungi (70322) | more than 6 years ago | (#22963706)

And, pray tell, which part of the following did you not understand, kind sir?

Changes since OpenSSH 4.9:
 
Security:
 
  * CVE-2008-1483: Avoid possible hijacking of X11-forwarded connections by refusing to listen
on a port unless all address families bind successfully.
I guess that about sums it up, doesn't it?

Re:Stay Classy (1)

Jeremiah Cornelius (137) | more than 6 years ago | (#22966268)

That's "after the link".

The /. story doesn't give much detail, context or reason to be interested in a discussion.

Re:Stay Classy (5, Informative)

Noryungi (70322) | more than 6 years ago | (#22963664)

The Debian maintainers wrote to Theo personally, while the correct email address for OpenSSH problems, issues and bug reports is "openssh@openssh.com".

The result is that the maintainers of OpenSSH were not properly notified, and a bug was left in the code. For all that it's worth, it seems Theo was on holidays [undeadly.org] , with no access to a computer.

So, sure, it may sound harsh, but I believe it's for a good cause: OpenSSH developers really want a stable and secure software. Consider the announcement a reminder of the proper procedure to warn them of bugs, not a dig at this or that operating system.

Re:Stay Classy (4, Insightful)

Copid (137416) | more than 6 years ago | (#22963982)

I don't think that anybody is questioning whether a mistake was made. The problem is that there's no reason to publicly humiliate the people (read: volunteers) who made it in order to correct it. The point could just as easily have been made without specifically naming anybody.

I know that if I sent out a mass emailed "reminder" to my company about the proper protocol for something and specifically called out somebody from another group in it, the response would be a universal, "What a dick!" I'd be lucky to avoid being taken to the woodshed by my boss for it. That's just not how it's done.

Re:Stay Classy (1)

gad_zuki! (70830) | more than 6 years ago | (#22965214)

That's the tyranny of free. You can be as big of a dick as you like until the point it forces a fork by a lesser dick.

Re:Stay Classy (1)

Crazy Eight (673088) | more than 6 years ago | (#22974340)

So the xorg guys have smaller dicks than the XFree guys. Who knew...

Anyway, this minor flap about the release notes would have a more appropriate dimension if this release were given the minor sounding number it deserves. Was 4.91 already taken?

Re:Stay Classy (2, Insightful)

Kjella (173770) | more than 6 years ago | (#22967650)

Well, there's a reason that Theo has alienated... well, pretty much everyone except the OpenBSD team and probably some of those too. If he didn't manage OpenSSH, I'd probably barely hear of him as an entirely inconsequential character. Clearly he knows his coding but he reminds me of someone at work I heard of - he was explicitly forbidden from attending customer meetings and communicating with the client directly. He had some resemblence of social antennas with the developers he worked with but probably think they're all morons too. It's amazing what'll pass if you can just keep them contained and they do a good job, as long as they don't poison the whole environment. Nice people that are watercooler attendants are much nicer to work with, but at the end of the day they still haven't got anything done and that's what the business ultimately sees.

Re:Stay Classy (0)

Anonymous Coward | more than 6 years ago | (#22964034)

The Debian maintainers also found the bug. Note that lack of thanks for finding a hole in the software. Theo is a twat, plain and simple. Piss people off and they'll work against you, not with you.

Re:Stay Classy (3, Funny)

Profane MuthaFucka (574406) | more than 6 years ago | (#22965218)

That's the last straw, it's back to telnet for me. Bastards.

Re:Stay Classy (1)

bconway (63464) | more than 6 years ago | (#22964740)

Was Theo on holiday for two months? Because according to the Debian bug [debian.org] , he was notified on February 3rd.

Re:Stay Classy (2, Informative)

makomk (752139) | more than 6 years ago | (#22965700)

I notice that this page [openbsd.org] on the OpenBSD sire says:

"If you find a new security problem, you can mail it to deraadt@openbsd.org."

If he's going to be out of the country and unavailable for contact, perhaps you should provide an alternative method of reporting security issues that doesn't go through him. (Admittedly, it is the wrong way to report OpenSSH vulnerabilities - presumably the person looked at the wrong page - but it seems to be the official way of reporting issues that affect the rest of OpenBSD.)

Re:Stay Classy (1, Flamebait)

Quattro Vezina (714892) | more than 6 years ago | (#22963722)

This isn't new. OpenBSD developers are famous for having no class.

Remember, OpenBSD was only started because Theo was kicked out of NetBSD for constantly making personal attacks, so he started a competing project as revenge.

Re:Stay Classy (1)

Freedent (84485) | more than 6 years ago | (#22978192)

Damned if they do, damned if they don't. If they didn't mention the issue, the criticism from drooling /. hordes would instead be "why didn't you fix this right away?", and *then* they'd have to mention the Debian thing anyways.

security update? (2, Insightful)

N3TW4LK3R (841526) | more than 6 years ago | (#22963670)

Is there anything 'new' to this version 5.0? From what I can see in the announcement, it is merely a security update from version 4.9:

Changes since OpenSSH 4.9:

Security:

  * CVE-2008-1483: Avoid possible hijacking of X11-forwarded connections
      by refusing to listen on a port unless all address families bind
      successfully.

Re:security update? (1)

marcosdumay (620877) | more than 6 years ago | (#22963858)

it is merely a security update

You are talking about OpenSSH here. It is not "merely" a security update. It is a top priority security update.

Besides, what other kind of update would you expect on ssh?

Re:security update? (3, Insightful)

Kjella (173770) | more than 6 years ago | (#22964222)

You are talking about OpenSSH here. It is not "merely" a security update. It is a top priority security update.

Besides, what other kind of update would you expect on ssh?
Support for some new SSL/TLS/SFTP/whatever version? Ports to new architectures (if there's any left)? Major performance upgrade? Better X forwarding compression? New authentication method support? Honestly, I don't know what the possible hot items could be, or even if OpenSSH does all of these things. I don't know but the part about point releases is pretty useless if it doesn't mean anything special at all... then last could be 49 and this release 50, you sorta expect something more when you roll out x.0 releases. Besides, while I'm sure this is a Big Thing for OpenSSH the IPv6 page on WP still says "As of November 2007, IPv6 accounts for a minuscule percentage of the live addresses in the publicly-accessible Internet, which is still dominated by IPv4." So yeah, it's an issue if you're on an IPv6 network but it's hardly a Slammer worm class exploit.

Re:security update? (3, Informative)

Colonel Fahlt (1267662) | more than 6 years ago | (#22964544)

OpenSSH follows the same version numbering approach as OpenBSD, which is that for each release they simply increment what would normally be called the minor number until it reaches 9, then what would normally be construed as the major number is incremented, then they go back to incrementing the minor number. One may wonder why they don't simply use a single number for releases, given there's no meaning or discernable advantage (to an outsider, that is) to using a pair of numbers. (Perhaps the numbering scheme is simply a hold over from OpenBSD's NetBSD origins over a decade ago. NetBSD does use "point numbers" to convey the relative importance of releases.)

Re:security update? (1)

TheVoice900 (467327) | more than 6 years ago | (#22968270)

You can just imagine the point is not there. Then you're going from 49 -> 50.

Re:security update? (1, Insightful)

Vellmont (569020) | more than 6 years ago | (#22964240)


Besides, what other kind of update would you expect on ssh?

Going from a 4.x release to a 5.x release? Something more than what's sounds like a small patch to fix a security problem. (I believe I saw a backport of this fix on a recent Ubuntu update).

Re:security update? (2, Informative)

Nimey (114278) | more than 6 years ago | (#22964760)

Given that OpenSSH is maintained by the OpenBSD people, who use a similar version-number scheme, I guess we shouldn't expect big changes. The next release from OpenBSD 3.9 was 4.0, ditto 2.9 to 3.0, and it wasn't a major release or anything, just the next in the series.

It's a stupid versioning scheme, but it's what they use.

Re:security update? (1)

marcosdumay (620877) | more than 6 years ago | (#22975140)

They didn't change the ssh protocol on ages, their server is a simple tty, and the client simple echoes data to a tty. If you don't consider security fixes, you'd have only small cosmetic changes.

Also, OpenSSH must be flawless. That is the software that gives acess to near everybody on near every server (and some desktops) at the internet. You don't want flaws on it.

Re:security update? (2, Informative)

Noksagt (69097) | more than 6 years ago | (#22964226)

Is there anything 'new' to this version 5.0?
No.

From what I can see in the announcement, it is merely a security update from version 4.9
I don't know why you say "merely;" I'd rather know about security updates instead of new features. But perhaps you're trying to provoke a conversation on the unusual version numbering employed by OpenSSH? Because of the nature of the program, many releases have security fixes. If you want to see some recent features, look at the release notes for 4.9 [undeadly.org] .

Re:security update? (1)

Bogtha (906264) | more than 6 years ago | (#22965180)

I don't know why you say "merely;"

Because usually, a major version number change indicates major changes, not patching a single bug. I'd have expected a 4.9 with a security vulnerability patched to be released as 4.9.1.

Why Buck Convention? (1)

bill_mcgonigle (4333) | more than 6 years ago | (#22970108)

Because usually, a major version number change indicates major changes, not patching a single bug. I'd have expected a 4.9 with a security vulnerability patched to be released as 4.9.1.

Well, that would be conventional. Nobody says they need to be conventional.

However, conventions help us communicate and generally greases the skids for societal progress. So, it would be interesting to know why OpenSSH uses a different versioning system. Maybe it's more useful in some way we don't understand?

However, going from 4.9 to 5.0 is an exercise in using major minor numbers. To me it's not apparent there's any meaning behind their use of major and minor numbers, so it seems pointless to use the added complexity, as compared with a serial number.

Or maybe I'm just missing the point.

Security Fix (1)

Noksagt (69097) | more than 6 years ago | (#22963708)

The only change over 4.9 is a security fix for an issue that allowed local users to hijack forwarded X sessions. [nist.gov] The release notes criticize Debian devs for disclosing this publicly before trying to contact OpenSSH privately.

Re:Security Fix (1)

Schraegstrichpunkt (931443) | more than 6 years ago | (#22964050)

The release notes criticize Debian devs for disclosing this publicly before trying to contact OpenSSH privately.

... which is ridiculous. Why should any privileged group get access to this information before the general public does? A great way to start a botnet would be to infiltrate a few of these "private" mailing lists and use/sell the information before the general public finds out about it. Heck, if the software is developed by a public company (not the case with OpenSSH) you could also short the company's stock and make a nice pile of cash.

Re:Security Fix (2)

JebusIsLord (566856) | more than 6 years ago | (#22964348)

Uhm, so they can fix the problem before it becomes known to the cracking community?

Re:Security Fix (1)

Schraegstrichpunkt (931443) | more than 6 years ago | (#22964482)

Who says the people on the "private" list aren't part of the cracking community? Should everyone have to trust them?

Re:Security Fix (2)

Bob(TM) (104510) | more than 6 years ago | (#22964704)

Since the private list members are the OpenSSH maintainers, not trusting them at this point is a bit split-brain. It's like asking someone to hold your wallet and refusing to give them your coat because you don't trust them to keep it safe. In for a penny ...

Re:Security Fix (2, Interesting)

Schraegstrichpunkt (931443) | more than 6 years ago | (#22965112)

No, it's perfectly rational.

In one case, you're trusting the OpenSSH maintainers, as a group, not to put deliberate backdoors into the code that everyone will see. You're trusting them to behave well when the risk of being discovered is quite high. You also have the option of auditing the code yourself, so you don't even have to give them your complete trust.

In the other case, you are trusting each individual OpenSSH maintainer not to use his newly-acquired knowledge against specific targets when the risk of being discovered is quite low.

Re:Security Fix (0)

Anonymous Coward | more than 6 years ago | (#22967488)

No, it's perfectly rational.



In one case, you're trusting the OpenSSH maintainers, as a group, not to put deliberate backdoors into the code that everyone will see. You're trusting them to behave well when the risk of being discovered is quite high. You also have the option of auditing the code yourself, so you don't even have to give them your complete trust.



In the other case, you are trusting each individual OpenSSH maintainer not to use his newly-acquired knowledge against specific targets when the risk of being discovered is quite low.

wee discussion 2

Re:Security Fix (1)

Wintermute__ (22920) | more than 6 years ago | (#22969088)

So how, exactly, do you propose the maintainers be alerted to security risking bugs (so that they can fix them) without disclosing the bugs to the selfsame maintainers?

Wow. I think you just blew my mind.

Re:Security Fix (1)

Schraegstrichpunkt (931443) | more than 6 years ago | (#22973584)

Straw man. I propose that the maintainers be alerted at the same time as everybody else. Then there's no advantage of being on the private "maintainers list", and no incentive to infiltrate it for nefarious purposes.

Re:Security Fix (1)

Freedent (84485) | more than 6 years ago | (#22978166)

You're being incredibly retarded here.

Re:Security Fix (1)

JebusIsLord (566856) | more than 6 years ago | (#22969242)

That's OpenSSH's issue, not yours (as the exploit discoverer). Anyhow, you have to agree that it's still way, way safer than publishing it for all to see.

Re:Security Fix (1)

Noksagt (69097) | more than 6 years ago | (#22964418)

I won't debate whether full or responsible disclosure would be best for everyone.

I will suggest that there should be consistency & Debian believes in responsible disclosure.

Debian maintains a private security reporting mechanism & tells developers that some security bugs may be private for some length of time [debian.org] . Indeed, the Debian dev who closed that issue expressed apologies for not contacting the appropriate person.

Even those who do not believe in responsible disclosure will usually have the good manners to at least simultaneously contact developers and go public.

Re:Security Fix (1)

Sorthum (123064) | more than 6 years ago | (#22966984)

No, technically the release notes criticize the Debian maintainers for emailing the lead OpenSSH dev privately rather than the established tracking mechanism, which is rather different than you describe.

I do think that calling them out like this is classless, though.

Chroot Finally? (2, Interesting)

ajayrockrock (110281) | more than 6 years ago | (#22965088)

Does anyone know if the chroot feature has been included (previously mentioned on slashdot [slashdot.org] )? Or is this just an upgrade for the security fix?
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...