OpenSSH Releases Version 5.0

os2man lets us know that OpenSSH version 5.0 has been released. The mirrors are linked from the top page. "OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the ssh protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security. OpenSSH is available for almost any Operating System."

Re:Stay Classy

[Jeremiah+Cornelius]

Yeah. Some content in this front-page article - beyond the version number - would have been helpful.

security update?

[N3TW4LK3R]

Is there anything 'new' to this version 5.0? From what I can see in the announcement, it is merely a security update from version 4.9:

Changes since OpenSSH 4.9:

Security:

  * CVE-2008-1483: Avoid possible hijacking of X11-forwarded connections
      by refusing to listen on a port unless all address families bind
      successfully.

Re:security update?

[Kjella]

You are talking about OpenSSH here. It is not "merely" a security update. It is a top priority security update.

Besides, what other kind of update would you expect on ssh? Support for some new SSL/TLS/SFTP/whatever version? Ports to new architectures (if there's any left)? Major performance upgrade? Better X forwarding compression? New authentication method support? Honestly, I don't know what the possible hot items could be, or even if OpenSSH does all of these things. I don't know but the part about point releases is pretty useless if it doesn't mean anything special at all... then last could be 49 and this release 50, you sorta expect something more when you roll out x.0 releases. Besides, while I'm sure this is a Big Thing for OpenSSH the IPv6 page on WP still says "As of November 2007, IPv6 accounts for a minuscule percentage of the live addresses in the publicly-accessible Internet, which is still dominated by IPv4." So yeah, it's an issue if you're on an IPv6 network but it's hardly a Slammer worm class exploit.

Re:security update?

[Vellmont]

Besides, what other kind of update would you expect on ssh?

Going from a 4.x release to a 5.x release? Something more than what's sounds like a small patch to fix a security problem. (I believe I saw a backport of this fix on a recent Ubuntu update).

Re:Stay Classy

[Copid]

I don't think that anybody is questioning whether a mistake was made. The problem is that there's no reason to publicly humiliate the people (read: volunteers) who made it in order to correct it. The point could just as easily have been made without specifically naming anybody.

I know that if I sent out a mass emailed "reminder" to my company about the proper protocol for something and specifically called out somebody from another group in it, the response would be a universal, "What a dick!" I'd be lucky to avoid being taken to the woodshed by my boss for it. That's just not how it's done.

Re:Stay Classy

[Kjella]

Well, there's a reason that Theo has alienated... well, pretty much everyone except the OpenBSD team and probably some of those too. If he didn't manage OpenSSH, I'd probably barely hear of him as an entirely inconsequential character. Clearly he knows his coding but he reminds me of someone at work I heard of - he was explicitly forbidden from attending customer meetings and communicating with the client directly. He had some resemblence of social antennas with the developers he worked with but probably think they're all morons too. It's amazing what'll pass if you can just keep them contained and they do a good job, as long as they don't poison the whole environment. Nice people that are watercooler attendants are much nicer to work with, but at the end of the day they still haven't got anything done and that's what the business ultimately sees.