OpenSSH 3.5 Released

← Back to Stories (view on slashdot.org)

Posted by timothy on Tuesday October 15, 2002 @01:53PM from the vavavoom dept.

Dan writes "Markus Friedl announces that OpenSSH 3.5 has just been released with notable updates since 3.4. It will be available from the mirrors listed at http://www.openssh.com/ shortly. Enhancements include bug fixes, improved support for Privilege Separation (Portability, Kerberos, PermitRootLogin handling), RSA blinding in order to avoid timing attacks against the RSA host key and much more. Congratulations are in order for the OpenSSH team's hard work and efforts."

5 of 140 comments (clear)

Min score:

Reason:

Sort:

Check those MD5s! by egg+troll · 2002-10-15 13:56 · Score: 5, Informative

Remember to check the MD5s of those downloads this time around!

--

C - A language that combines the speed of assembly with the ease of use of assembly.
Re:Stupid question.. by Kwikymart · 2002-10-15 14:33 · Score: 5, Informative

The same people that make OpenBSD make OpenSSH?

Whenever some story about, say KDE, pops up everyone is like "this is the best thing for Linux since sliced bread". Reality check: not all people run KDE run it on Linux. I think the BSD people should be entitled to the same "This is what we do for everyone!" type of recognition as everyone else.

--

Buying a Dell computer is equivalent to dropping the soap in a prison shower.
Re:MD5 is just a hash... by wirelessbuzzers · 2002-10-15 15:38 · Score: 5, Informative

They do have a GPG detached sig. The portable version is signed by Damien Miller (and verified, and it matches the MD5), for example. But, on the other hand, Damien miller's key has no sigs on it, so there's no reason for us to believe that it really belongs to him...

So, in the end, you're just going to have to trust that *somebody* isn't out to get you, unless you want to run through the source code line-by-line... ...Or, you can download it now, wait a few days (faster than examining the source), and see if they post "OpenSSL trojaned!!" to the front page of Slashdot, then install it. Take your pick.

--
I hereby place the above post in the public domain.
Re:RSA by Permission+Denied · 2002-10-15 16:16 · Score: 5, Informative

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*", )]}\EsMsK sN0[lN*1lK[d2%Sa2/d0 NO CARRIER

You again. Excellent troll, but you need to choose a different motif for your nicks.
For the uninitiated: that is not perl. It is line noise with some perl operators, bundled into a cleverly-masked troll. This guy is an old sport at this, previously using the name "PhysicsGenius". Check his (short) user history, and this guy's posting history. I simply cannot believe that moderators would be so idiotic as to mod this stuff up, so my conjecture is that he has two accounts: one to troll, and another serious account with mod points. It may be interesting to correlate average time between mod points to his posting history.
Relevant anecdote: the original OpenSSH sources had an "RSA in six lines of perl" in a comment of one of the source files. Theo removed that in some version. A little too much angst there, if you ask me - this stuff is supposed to be fun.
Re:Slow Down by dmiller · 2002-10-16 00:25 · Score: 5, Informative

Firstly, do you patch all local privilege escalation vulnerabilities as quickly as you patch remote vulnerabilities? I know I don't.

Please RTFM: An attacker breaking privsep will find themselves in an empty chroot jail with a unique, non-priviliged UID & GID. Leveraging such an attack to even read local files would be very difficult.

Your points about a broken privsep being used to stage network-based attacks are valid.