Updated: OpenSSH-3.4p1-2

Corinna Vinschen vinschen@redhat.com
Thu Jul 4 08:49:00 GMT 2002


I've updated the version of OpenSSH to 3.4p1-2.

This is a Cygwin bug fix and enhancement release.

It fixes a bug in the official sources which prevents serverside
port forwarding of privileged ports (ports < 1024).

The enhancements are 

- This version is statically linked against the tcp wrappers lib.

  You don't need to install the tcp_wrappers package to get that
  functionality but I suggest to do so anyway to get the man pages
  describing the functionality and how to create correct
  /etc/hosts.allow and /etc/hosts.deny files.  Note that everything
  works as before if neither of these files exist.

  And note that using that feature only works correctly since
  Cygwin 1.3.12.  Previous versions of the Cygwin DLL had a bug
  which prevents the tcp wrappers lib to return correct results
  when used by sshd.

- The ssh-host-config file now prepares your system for running
  with privilege separation if it's a NT/2k/XP system.
  
  On NT systems the script now asks if it should create an account
  named 'sshd' in the local NT user database (SAM).  It also adds
  this account to /etc/passwd then.  /var/empty is installed and
  chown'd to SYSTEM.  See /usr/doc/openssh/README.privsep for a
  description of privilege separation.

  Since privilege separation doesn't make *any* sense on systems not
  supporting user privileges at all, privilege separation is switched
  off by default on 9x/Me systems.

- The /usr/doc/Cygwin/openssh-3.4p1-2.README file now contains
  an additional entry describing Cygwin specific details of
  privilege separation.

The following comment from the 3.4p1-1 announcement still applies:

========================================================================
This version allows to use privilege separation in a slightly restricted
way.  Since privilege separation is consisting of two independent parts
(preauth, postauth) and only the postauth part requires descriptors
passing, this version enables the usage of preauth privilege separation
in Cygwin.  Note that this doesn't create an additional sshd process as
described in the README.privsep file and note that this isn't still as
secure as fully-fledged privilege separation but it's a good start.
========================================================================

Official Release Message:
====================================================================
OpenSSH 3.4 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued
support and encouragement.


Changes since OpenSSH 3.3:
============================

Security Changes:
=================

  All versions of OpenSSH's sshd between 2.9.9 and 3.3
  contain an input validation error that can result in
  an integer overflow and privilege escalation.

  OpenSSH 3.4 fixes this bug.

  In addition, OpenSSH 3.4 adds many checks to detect
  invalid input and mitigate resource exhaustion attacks.  

  OpenSSH 3.2 and later prevent privilege escalation
  if UsePrivilegeSeparation is enabled in sshd_config.
  OpenSSH 3.3 enables UsePrivilegeSeparation by
  default.


Reporting Bugs:
===============

- please read http://www.openssh.com/report.html
  and http://bugzilla.mindrot.org/

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller and Ben Lindstrom.
====================================================================

To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your  
system.  Once you've downloaded setup.exe, run it and select "Net" and
then click on the appropriate field until the above announced version
number appears if it is not displayed already.

If you have questions or comments, please send them to the Cygwin
mailing list at: cygwin@cygwin.com .  I would appreciate it if you would
use this mailing list rather than emailing me directly.  This includes
ideas and comments about the setup utility or Cygwin in general.

If you want to make a point or ask a question, the Cygwin mailing list
is the appropriate place.

              *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe from the cygwin-announce mailing list, look  
at the "List-Unsubscribe: " tag in the email header of this message.  
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=yourdomain.com@cygwin.com

If you need more information on unsubscribing, start reading here:

http://sources.redhat.com/lists.html#unsubscribe-simple  

Please read *all* of the information on unsubscribing that is available
starting at this URL.

I implore you to READ this information before sending email about how
you "tried everything" to unsubscribe.  In 100% of the cases where
people were unable to unsubscribe, the problem was that they hadn't
actually read and comprehended the unsubscribe instructions.

If you need to unsubscribe from cygwin-announce or any other mailing
list, reading the instructions at the above URL is guaranteed to
provide you with the info that you need.

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.



More information about the Cygwin-announce mailing list