OpenSSH 3.9 has just been released. According to information available regarding this release there are several changes since version 3.8. * Added new "IdentitiesOnly" option to ssh(1), which specifies that it should use keys specified in ssh_config, rather than any keys in ssh agent(1) * Make sshd(8) re-execute itself on accepting a new connection. This security measure ensures that all execute-time randomisations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on systems that support such things * Add strict permission and ownership checks to programs reading ~/.ssh/config NB ssh(1) will now exit instead of trying to process a config with poor ownership or permissions * Implemented the ability to pass selected environment variables between the client and the server. See "AcceptEnv" in sshd_config(5) and "SendEnv" in ssh_config(5) for details * Added a "MaxAuthTries" option to sshd(8), allowing control over the maximum number of authentication attempts permitted per connection * Added support for cancellation of active remote port forwarding sessions. This may be performed using the ~C escape character, see "Escape Characters" in ssh(1) for details * Many sftp(1) interface improvements, including greatly enhanced "ls" support and the ability to cancel active transfers using SIGINT (^C) * Implement session multiplexing: a single ssh(1) connection can now carry multiple login/command/file transfer sessions. Refer to the "ControlMaster" and "ControlPath" options in ssh_config(5) for more information * The sftp-server has improved support for non-POSIX filesystems (e.g. FAT) * Portable OpenSSH: Re-introduce support for PAM password authentication, in addition to the keyboard-interactive driver. PAM password authentication is less flexible, and doesn't support pre- authentication password expiry but runs in-process so Kerberos tokens, etc are retained Thanks to Donald Smith for providing us with the following information overview: Of these 1,2,3,4 and 10 are all security related. With 1,2,3 and 4 being issues that were considered by many to be minor security flaws in openssh. Pam was pulled when there were some issues with pam libraries that led to a potential vulnerability in openssh. Portable OpenSSH 3.7.1p2 and newer are not vulnerable to "September 23, 2003: Portable OpenSSH Multiple PAM vulnerabilities", OpenSSH Security Advisory. (This issue does not affect OpenBSD versions) http://www.openssh.com/ Rumors of new Download.Ject Worm We have heard rumors that there maybe a new worm on the loose. Reports have stated that this worm arrives as an innoculous looking instant message on AIM or ICQ which says "My personal home page http://XXXXXXX.X-XXXXXX.XXX/". Once the user clicks on this link Internet Explorer opens a malicious website that infects the user through several IE vulnerabilities such as Object Data, Ibiza CHM and MHTML Redirect. The most noticeable end-user effects of being infected with this new Download.Ject worm is a modifed Homepage and search pane in the browser. In place of the users ordinary Homepage is a site called TargetSearch and several browser windows displaying adult advertisement and referal links. There are obvious financial motivations behind this worm. Please let the Handler's know if anyone has received an actual copy of this. SEC Warning about Telephone Fraud Scam It appears there is yet another scam trying to take our hard earned dollars from our hands. This time the technology that is being used to scam is the telephone. According to the Securities and Exchange Commission says that the message is designed to sound as if the speaker didn't realize that he or she was leaving the hot tip on the wrong machine. The message is intended to lead you to believe that there is a stock that is going to drastically increase in value and that you could make a huge profit. In reality, the only one making the huge profit will be the scammers. To read the full story and find out how to report this scam should you receive one of these calls see the Securities and Exchange Commission web site. http://www.sec.gov/investor/pubs/wrongnumberscam.htm My Favorite Quote of the Day Thanks to Donald Smith for my favorite quote of the day. Everyday is virus day. Do you know where your recovery CDs are? Did you create them yet? Deb Hale Handler On Duty haled@pionet.net |
Deborah 278 Posts ISC Handler |
Subscribe |
Aug 21st 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!