OpenSSH 9.3 arrives with various bug fixes and more

openssh

OpenSSH is a set of applications that allow encrypted communications over a network, using the SSH protocol.

It has been published OpenSSH 9.3 release, an open client and server implementation to work with the SSH 2.0 and SFTP protocols. The new version of OpenSSH 9.3 manages to correct some security problems, in addition to adding some new features

For those who do not know about OpenSSH (Open Secure Shell) should know that this is a set of applications that allow encrypted communications over a network, using the SSH protocol. It was created as a free and open alternative to the Secure Shell program, which is proprietary software.

Main new features of OpenSSH 9.3

In this new version coming out of OpenSSH 9.3 one of the new features is that sshd adds a `sshd -G` option that parses and prints the actual configuration without attempting to load private keys and perform other checks. This allows the option to be used before keys have been generated and for configuration evaluation and verification by non-privileged users.

For the bug fixing part, a logical error was found in the ssh-add utility, so when adding smart card keys to the ssh-agent, the restrictions specified with the "ssh-add -h" option were not passed to the agent. As a result, a key was added to the agent, so there were no restrictions that allowed connections only from certain hosts.

Another one of the fixes that was implemented, is the vulnerability in the ssh utility that could cause data to be read from the stack area out of allocated buffer when processing specially crafted DNS responses if the VerifyHostKeyDNS setting is included in the configuration file.

The problem exists in the built-in implementation of the getrrsetbyname() function, which is used on portable versions of OpenSSH built without using the external ldns library (–with-ldns) and on systems with standard libraries that do not support getrrsetbyname() calling. The possibility of exploiting the vulnerability, other than to initiate a denial of service for the ssh client, is considered unlikely.

Of the new versions that stand out:

  • In scp and sftp fixes progress meter corruption on wide screens;
  • ssh-add and ssh-keygen use RSA/SHA256 when testing private key usability, as some systems are starting to disable RSA/SHA1 in libcrypto.
  • In sftp-server made a fix for a memory leak.
  • In ssh, sshd and ssh-keyscan the compatibility code was removed and simplified what remains of the "vestigal" protocol.
  • Made a fix to the low impact Coverity static analysis results series.
    These include several reported:
    * ssh_config(5), sshd_config(5): mention that some options are not
    first game won
    * Rework log for regression testing. Regression testing now
    capture separate logs for each ssh and sshd invocation in a test.
    * ssh(1): make `ssh -Q CASignatureAlgorithms` work as man page
    says it should; bz3532.

Lastly, it should be noted that a vulnerability can be observed in the libskey library included with OpenBSD, which is used by OpenSSH. The problem has been around since 1997 and can cause a stack buffer overflow when processing specially crafted hostnames.

Finally if you are interested in knowing more about it about this new version, you can check the details by going to the following link.

How to install OpenSSH 9.3 on Linux?

For those who are interested in being able to install this new version of OpenSSH on their systems, for now they can do it downloading the source code of this and performing the compilation on their computers.

This is because the new version has not yet been included in the repositories of the main Linux distributions. To get the source code, you can do from the following link.

Done the download, now we are going to unzip the package with the following command:

tar -xvf openssh-9.3.tar.gz

We enter the created directory:

cd openssh-9.3

Y we can compile with the following commands:

./configure --prefix=/opt --sysconfdir=/etc/ssh
make
make install

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.