Slashdot Mirror

msm1267 writes: OpenSSH today released a patch for a critical vulnerability that could be exploited by an attacker to force a client to leak private cryptographic keys. The attacker would have to control a malicious server in order to force the client to give up the key, OpenSSH and researchers at Qualys said in separate advisories. Qualys' security team privately disclosed the vulnerability Jan. 11 and the OpenSSH team had it patched within three days. The vulnerability was found in a non-documented feature called roaming that supports the resumption of interrupted SSH connections. OpenSSH said client code between versions 5.4 and 7.1 are vulnerable as it contains the roaming support. OpenSSH said that organizations may disable the vulnerable code by adding 'UseRoaming no' to the global ssh_config(5) file. Researchers at Qualys said organizations should patch immediately and regenerate private keys.

HipToday writes "As posted on the OpenBSD Journal, OpenSSH 5.4 has been released: 'Some highlights of this release are the disabling of protocol 1 by default, certificate authentication, a new "netcat mode," many changes on the sftp front (both client and server) and a collection of assorted bugfixes. The new release can already be found on a large number of mirrors and of course on www.openssh.com.'"

pgilman writes "The release of OpenBSD 4.6 was announced today. Highlights of the new release include a new privilege-separated smtpd; numerous improvements to packet filtering, software RAID, routing daemons, and the TCP stack; a new installer; and lots more. Grab a CD set or download from a mirror, and please support the project (which also brings you OpenSSH and lots of other great free software) if you can."

An anonymous reader writes "OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. It encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions. Version 5.3 marks the 10th anniversary of the OpenSSH project."

An anonymous reader writes "OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. It encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions. Version 5.3 marks the 10th anniversary of the OpenSSH project."

os2man lets us know that OpenSSH version 5.0 has been released. The mirrors are linked from the top page. "OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the ssh protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security. OpenSSH is available for almost any Operating System."

os2man lets us know that OpenSSH version 5.0 has been released. The mirrors are linked from the top page. "OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the ssh protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security. OpenSSH is available for almost any Operating System."

os2man lets us know that OpenSSH version 5.0 has been released. The mirrors are linked from the top page. "OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the ssh protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security. OpenSSH is available for almost any Operating System."

Sam writes "The OpenBSD cvs server has a failing RAID array. Users of the projects on that array: OpenBSD, OpenSSH, OpenBGPD, OpenNTPD, and the upcoming OpenCVS are all invited to contribute towards the $12,500 cost of a suitably high-spec replacement. OpenBSD Journal article, and original request (thread)."

UnderScan writes "As seen on openssh-unix-announce: 'OpenSSH 4.0 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters.' See the changelog or the freshmeat.net changes summary for more details."

An anonymous reader submits "The Software Sig Page encourages software maintainers to publish verifiable signatures for released software and to build the web of trust among software maintainers and software users. If you're afraid of downloading a trojaned OpenSSH, being 0wned while capturing packets, compiling an MTA as well as a backdoor on your system, not being able to trust tools you use every day, or never having a chance from the moment your OS boots, then you want some level of assurance that the software you use is everything the mainatainers expected you to have and no more. Look and check the MD5 and PGP signatures that come with software you download."

Slashback tonight brings you more on the recent cracking of GSM encryption,the odds of file sharers escaping industry scrutiny in Canada, the recently found (and stomped) OpenSSH bug, installation-time ads in Mandrake, and more. Read on below for the details.

Art of the Saber Jagaast writes "As a counterpoint to all the hype about the Star Wars kid, here's a Star Wars fan film that's actually very well done. Art of the Saber is 'a light saber fight sequence with the flavor of a Hong Kong martial arts action movie.' Well worth watching." Update by J : I've made torrents available.

Vote early, often, and reversably. An anonymous reader writes "As a follow up to a previous story here on Slashdot on electronic voting, Excite has a story on the same subject with a bit more information including this amazing quote from Deborah Seiler, Diebold's West Coast sales representative: '"These activists don't understand what they're looking at," Seiler said.'"

GSM-crack paper online morcheeba writes "Copies of the GSM-crack paper described in last week's Slashdot article are now available online (PDF) thanks to John Young's Cryptome"

Mandrake ads...take 2 *no comment* writes "Apparently there has been some controversy over the ads in the upcoming Mandrake 9.2. I thought it was pretty cut & dried, but apparently Mandrake thought it was enough of a controversy to to release a written statement about it. I wonder how many flames were posted in the slashdot forum using the download version of Opera."

Blaster Worm still alive and well on MIT campus fwc writes "MIT still has 900 network drops disabled due to the Blaster worm infection. Of particular interest is that MIT network security requires users to reformat their hard drive and re-install their operating system before they get back on the network. Sounds like a good excuse to reinstall something other than a Microsoft operating system."

A big AWOOOGAH for Canadian file sharers. Rumor writes in response to a recent story suggesting that Canadian users could swap files scot-free: "Listen, Canadians, don't go using your p2p apps and thinking you are immune from lawsuit, you are liable for copyright infringement if you share files on p2p apps.

To wit: a fellow law student and I have written an analysis of s. 80 of the Copyright Act and we've concluded that one can download music safely under the Private Copying provision, but no one can share or upload files without infringing on copyright.

In a nutshell, Private Copying allows anyone to make a copy of a song purely for their own use. As you probably know, when you share files and someone downloads from you, what actually happens is that their computer makes a request and your computer actually sends the file to them. Thus, you're copying for someone else's use and infringing. It doesn't matter if you didn't realize that's what happens, either... intent is not required for infringement.

The upside is that you can accept copies from other people (ie. download) all you want. Although there might be an issue of contributory infringement to worry about... I won't go into analyzing that, since so far the record companies are only suing uploaders.

The article can be found on greplaw.

I've recently confirmed this analysis with an IP law professor at my university, so I'm pretty damn sure of it. So, please, be aware of this danger. Downloading cool, uploading/sharing not. I guess the situation still better than nothing."

Why not ask for your money back? zaaj writes "There are several articles out about a newly found/fixed(openssh.org) buffer management bug in OpenSSH and some derivatives. Cisco's Advisory only mentions DoS attacks against certain of their SSH-enabled devices, but ZDNet's article hints at rumors of long-existing root exploits. Regardless, RedHat's got their typical list of updated packages with the patch back-ported. A few other distro's have info in the vendor section of Cert's advisory CA-2003-24"

petabyte writes "Now that RedHat 9 is out, here's something for the rest of us. OpenSSH 3.6 has been released today. Is has several new features including a progress meter for sftp and bandwidth limiting for scp. I haven't installed it yet but I'm sure the packages will be hitting mirrors soon enough. There's even a new T-shirt."

Dan writes "OpenBSD's Markus Friedl is requesting everyone to test the latest OpenSSH 3.6 nightly snapshots to help ensure a quality final release. The OpenSSH Portability Team takes the pure OpenSSH version and adds portability code so that OpenSSH can run on many other operating systems. Folks, download snapshots for your OS from one of these mirrors."

Dan writes "OpenBSD's Markus Friedl is requesting everyone to test the latest OpenSSH 3.6 nightly snapshots to help ensure a quality final release. The OpenSSH Portability Team takes the pure OpenSSH version and adds portability code so that OpenSSH can run on many other operating systems. Folks, download snapshots for your OS from one of these mirrors."

Dan writes "Markus Friedl announces that OpenSSH 3.5 has just been released with notable updates since 3.4. It will be available from the mirrors listed at http://www.openssh.com/ shortly. Enhancements include bug fixes, improved support for Privilege Separation (Portability, Kerberos, PermitRootLogin handling), RSA blinding in order to avoid timing attacks against the RSA host key and much more. Congratulations are in order for the OpenSSH team's hard work and efforts."

mcwop asks: "My company's IT department is trying to set up secure FTP with a vendor. It would be set up on a Sun box (not running Solaris 9). I emailed suggesting they look at OpenSSH. The response I received stated that they don't like to use freeware, but only consider industry proven and supported software. I have found one commercial version at SSH. What other commercial versions are out there (I know Solaris 9 comes with SSH)? But more importantly, what are some commercial successes? What large organizations are implementing SSH?"

Dan writes: "OpenSSH 3.4 has been released and will be shortly available on all mirrors. All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 fixes this bug." And kylus writes: "The previously mentioned vulnerability in OpenSSH has been disclosed by ISS X-Force today on the BugTraq list. This is a potential remote root compromise, and while there is a workaround, it's advised that users upgrade to version 3.4 as soon as they can."

If you remotely administer any computers, or need to check your email over an untrusted network, odds are you're already familiar with the wonders of OpenSSH. Markus Friedl yesterday posted a release announcement for the newest version, OpenSSH 3.3. Privilege separation in OpenSSH is now enabled by default, another sign of the entire OpenBSD project's appropriate paranoia.

hated writes "OpenSSH-3.2.2 is just released. Among some security fixes associated with Kerberos/AFS token passing, privelage separation has begun to be show up, experimentally right now of course. A paper on OpenSSH privelage separation is available. Pop on over to one of the mirror sites and get your brand spanking new version. The portable website doesn't currently list 3.2.2, but the FTP sites do have it."

Alert (or at least awake) reader deran9ed points out this article covering AOL Time-Warner's acquisition of BSDi. Sounds like AOL has been busy with acquisitions lately; best of luck any software engineers displaced by the move. Hopefully we'll see an integration of OpenSSH and AIM as well.

If you are following the flap over the use of the letters Ess, Ess and Aitch in product names -- SSH Communications Security Corporation has asked the OpenSSH project to stop using those letters in the name of their software -- a story on NewsForge adds more details. If you didn't catch it then, here's yesterday's NewsForge article as well. Good thing nobody is enforcing a trademark on "telnet," eh?

My favorite tidbit from the article is this: "[OpenBSD and OpenSSH Developer Theo] de Raadt cites U.S. trademark law that requires owners of trademarks to notify violators immediately ... de Raadt argues that Ylönen would have to be living under a rock not to be aware of OpenSSH before now. OpenSSH, released in December 1999 and in use before that, was used by more than 17% of all SSH users earlier this month, according to a study published on the University of Alberta Web site." Besides that, the story does a great job of listing other people whose products including "SSH" in their names have been left blissfully alone, making it seem that OpenSSH is getting what can only be called special treatment.

Of interest: here is a link to a page at openssh.com showing the legal papers received and scanned by members of the OpenSSH project, including the trademark application in question, showing an entirely lowercased "ssh" as the applied-for mark.

Olmy's Jart writes: "Tatu Ylonen has just posted the following message to the Openssh developers mailing list, openssh-unix-dev@mindrot.org. He is claiming OpenSSH, http://www.openssh.com, is infringing on his trademark on the terms "SSH" and "Secure Shell" and demanding that the OpenSSH project change their name." Thanks to Olmy's Jart for attaching the message - I've included it in the text below. The e-mail provides the background and thinking behind the letter. This has not yet shown up on the OpenSSH mailing list archives, http://marc.theaimsgroup.com/?l=openssh-unix-dev&r=1&w=2, although some replies are already there.

==================================================

From: Tatu Ylonen
To: openssh-unix-dev@mindrot.org
Subject: SSH trademarks and the OpenSSH product name
Organization: SSH Communications Security, Finland
Sender: owner-openssh-unix-dev@mindrot.org

Friends,

Sorry to write this to a developer mailing list. I have already
approached some OpenSSH/OpenBSD core members on this, including Markus
Friedl, Theo de Raadt, and Niels Provos, but they have chosen not to
bring the issue up on the mailing list. I am not aware of any other
forum where I would reach the OpenSSH developers, so I will post this
here.

As you know, I have been using the SSH trademark as the brand name of
my SSH (Secure Shell) secure remote login product and related
technology ever since I released the first version in July 1995. I
have explicitly claimed them as trademarks at least from early 1996.

In December 1995, I started SSH Communications Security Corp to
support and further develop the SSH (Secure Shell) secure remote login
products and to develop other network security solutions (especially
in the IPSEC and PKI areas). SSH Communications Security Corp is now
publicly listed in the Helsinki Exchange, employs 180 people working
in various areas of cryptographic network security, and our products
are distributed directly and indirectly by hundreds of licensed
distributors and OEMs worldwide using the SSH brand name. There are
several million users of products that we have licensed under the
SSH brand.

To protect the SSH trademark I (or SSH Communications Security Corp.,
to be more accurate) registered the SSH mark in the United States and
European Union in 1996 (others pending). We also have a registration
pending on the Secure Shell mark.

The SSH mark is a significant asset of SSH Communications Security and
the company strives to protect its valuable rights in the SSH® name
and mark. SSH Communications Security has made a substantial
investment in time and money in its SSH mark, such that end users have
come to recognize that the mark represents SSH Communications Security
as the source of the high quality products offered under the mark.
This resulting goodwill is of vital importance to SSH Communications
Security Corp.
We have also been distributing free versions of SSH Secure Shell under
the SSH brand since 1995. The latest version, ssh-2.4.0, is free for
any use on the Linux, FreeBSD, NetBSD, and OpenBSD operating systems,
as well as for universities and charity organizations, and for
personal hobby/recreational use by individuals.

We have been including trademark markings in SSH distributions, on the
www.ssh.fi, www.ssh.com, and www.ssh.org web sites, IETF standards
documents, license/readme files and product packaging long before the
OpenSSH group was formed. Accordingly, we would like you to
understand the importance of the SSH mark to us, and, by necessity,
our need to protect the trademark against the unauthorized use by
others.

Many of you are (and the initiators of the OpenSSH group certainly
should have been) well aware of the existence of the trademark. Some
of the OpenBSD/OpenSSH developers/sponsors have also received a formal
legal notice about the infringement earlier.

I have started receiving a significant amount of e-mail where people
are confusing OpenSSH as either my product or my company's product, or
are confusing or misrepresenting the meaning of the SSH and Secure
Shell trademarks. I have also been informed of several recent press
articles and outright advertisements that are further confusing the
origin and meaning of the trademark.

The confusion is made even worse by the fact that OpenSSH is also a
derivative of my original SSH Secure Shell product, and it still looks
very much like my product (without my approval for any of it, by the
way). The old SSH1 protocol and implementation are known to have
fundamental security problems, some of which have been described in
recent CERT vulnerability notices and various conference papers.
OpenSSH is doing a disservice to the whole Internet security community
by lengthening the life cycle of the fundamentally broken SSH1
protocols.

The use of the SSH trademark by OpenSSH is in violation of my
company's intellectual property rights, and is causing me, my company,
our licensees, and our products considerable financial and other
damage.

I would thus like to ask you to change the name OpenSSH to something
else that doesn't infringe the SSH or Secure Shell trademarks,
basically to something that is clearly different and doesn't cause
confusion.

Also, please understand that I have nothing against independent
implementations of the SSH Secure Shell protocols. I started and
fully support the IETF SECSH working group in its standardization
efforts, and we have offered certain licenses to use the SSH mark to
refer to the protocol and to indicate that a product complies with the
standard. Anyone can implement the IETF SECSH working group standard
without requiring any special licenses from us. It is the use of the
"SSH" and "Secure Shell" trademarks in product names or in otherwise
confusing manner that we wish to prevent.

Please also try to look at this from my viewpoint. I developed SSH
(Secure Shell), started using the name for it, established a company
using the name, all of our products are marketed using the SSH brand,
and we have created a fairly widely known global brand using the name.
Unauthorized use of the SSH mark by the OpenSSH group is threathening
to destroy everything I have built on it during the last several
years. I want to be able to continue using the SSH and Secure Shell
names as identifying my own and my company's products and
technologies, which the unlawful use of the SSH name by OpenSSH is
making very hard.

Therefore, I am asking you to please choose another name for the
OpenSSH product and stop using the SSH mark in your product name and
in otherwise confusing manner.

Regards,

Tatu Ylonen

SSH Communications Security http://www.ssh.com/
SSH IPSEC Toolkit http://www.ipsec.com/
SSH(R) Secure Shell(TM) http://www.ssh.com/products/ssh


"

Update: 02/14 02:44 PM by CT : I just wanted to insert my 2 bits into this story. This is a problem close to my heart: I hate getting tech support for PHPSlash. I don't care that it exists, in fact, I'm happy that it does, it fills a need and a lot of people like it. But there is no doubt that this is confusing to people, I get the bug reports to prove it. (My other peeve examples are Linux Mandrake taking a certain Linux developer's name even though they knew better, and the K5 guys naming their project 'Scoop' even tho another major Web site was created by a guy with the same name). I have no problem with any of these projects: I think all 3 of them are great projects, but if they were just a little more original there would be no confusion. Now I'd personally never go so far as to call copyright infringement, I shouldn't have to. We're all nice people here. Maybe I'm just a bit idealistic on this one.

dragonfly_blue writes: "Just wanted to let you know, OpenBSD 2.7 is out, with significant advances; including OpenSSH2, better Linux binary emulation, DSA encryption, and (my personal favorite) support for encrypting your swap space. Theo and the gang have also expanded the ports and packages collections considerably, so get 'em while they're hot!" (More.)

ocipio contributed some more tidbits, writing: " ... OpenBSD 2.7 improves support for high end system boards, SCSI controllers, ethernet interfaces, and adds gigabit ethernet drivers and IPv6 networking. OpenBSD's cryptography has been further enhanced by encrypting virtual memory swap space, and by more flexible ISAKMPD key exchange and operating modes for IP Security networking." To keep things interesting in BSD Land, he adds "According to Jordan Hubbard, FreeBSD's release engineer, FreeBSD 3.5 will be released June 20th."

Cool on all counts. Way to go, BSD crew! (And Thanks! to everyone who pointed out this release.)

Anonymous Coward writes: "The OpenSSH project released version 2.1 earlier this month. It now supports the SSH2 protocol. SSH2 is regarded by many as a more secure protocol (but was for a long time only supported in a restricted license implementation)." Nice work, guys. I'm downloading the source, I'm buying a T-shirt, life is good.

Anonymous Coward writes: "The OpenSSH project released version 2.1 earlier this month. It now supports the SSH2 protocol. SSH2 is regarded by many as a more secure protocol (but was for a long time only supported in a restricted license implementation)." Nice work, guys. I'm downloading the source, I'm buying a T-shirt, life is good.

Duke of URL writes: "Boardwatch interviewed OpenBSD contributor Louis Bertrand. It's an excellent article about OpenBSD's niche and mission. They discussed the continued code audit, OpenSSH, and future version plans, including SMP development, ports rework, and continued integration of IPv6. Journalist Jeffrey Carl does a good job of pointing out OpenBSD's strengths and tradeoffs."

Claes Leufven was one of the first to write in with the news that FreeBSD 4.0 is now available for download. Features added to 4.0 since it diverged from 3.x include: IPv6 and IPSec support built in (courtesy of the KAME project), OpenSSL and OpenSSH are integrated in to the base system, jail(2) ("chroot(2) on steroids") to help build secure environments, many, many NFS bug fixes and performance improvements, bug fixes and performance improvements to the VM subsystem, netware file and client connection support, gcc upgraded to 2.95.2 as the base compiler, better support for laptops, a much more complete threads library. . . see the Alpha or i386 release notes for more details. And before you all rush off to upgrade your production servers, read on for a brief message from Jordan Hubbard, FreeBSD's Release Engineer, and to find out where to download the release from.

"As with all FreeBSD releases ending in .0, the project recommends that production environments wait at least one or two releases after it before moving mission-critical services over. These dot-zero releases are primarily aimed at the developers and early adopters who are willing to work on refining the technology until it's production-ready. The 4-stable branch will also not be created until just before 4.1 is released, the period following a .0 release being the best time to collect serious feedback before branching the tree."

For a static list of mirrors, see this section in the FreeBSD Handbook. Alternatively, try Gavin Cameron's automatically updating list of mirror sites.

Lots of you wrote in with this -- we've been holding back at Theo's request until the CDs were available, but OpenBSD 2.6 is now released and available from the FTP sites, or by ordering CDs. There are lots of technical enhancements to this release (which are detailed below), and if they don't grab you, check out the very cool CD cover art.

The complete list of changes to 2.6 is too long to list here. However, some of the highlights are:

• Add ssh (OpenSSH) to the base system
• Reliability patches for the PowerPC port
• Improved support for ext2fs
• Perl 5.005_03 in the base system
• Support Joliet filesystems
• More security fixes
• USB support
• Fixes to the ATAPI support
• Speed up the install process
• Many manual page updates

and much more.

Anonymous Coward writes "The OpenSSH project now has a central webpage at www.openssh.com. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced and many other clean-ups."