We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters.
We have a new design of T-shirt available, more info on OpenBSD: T-shirts.
For international orders use and for European orders, use .eu.
Security Changes:
=================
All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively.
OpenSSH 3.7 fixes this bug.
Changes since OpenSSH 3.6.1:
============================
- The entire OpenSSH code-base has undergone a license review. As a result, all non-ssh1.x code is under a BSD-style license with no advertising requirement. Please refer to README in the source distribution for the exact license terms.
- Rhosts authentication has been removed in ssh(1) and sshd(8).
- Changes in Kerberos support:
- KerberosV password support now uses a file cache instead of a memory cache.
- KerberosIV and AFS support has been removed.
- KerberosV support has been removed from SSH protocol 1.
- KerberosV password authentication support remains for SSH protocols 1 and 2.
- This release contains some GSSAPI user authentication support to replace legacy KerberosV authentication support. At present this code is still considered experimental and SHOULD NOT BE USED.
- Changed order that keys are tried in public key authentication. The ssh(1) client tries the keys in the following order:
- ssh-agent(1) keys that are found in the ssh_config(5) file
- remaining ssh-agent(1) keys
- keys that are only listed in the ssh_config(5) file
This helps when an ssh-agent(1) has many keys, where the sshd(8) server might close the connection before the correct key is tried.
- SOCKS5 support has been added to the dynamic forwarding mode in ssh(1).
- Removed implementation barriers to operation of SSH over SCTP.
- sftp(1) client can now transfer files with quote characters in their filenames.
- Replaced sshd(8)'s VerifyReverseMapping with UseDNS option. When UseDNS option is on, reverse hostname lookups are always performed.
- Fix a number of memory leaks.
- Support for sending tty BREAK over SSH protocol 2.
- Workaround for other vendor bugs in KEX guess handling.
- Support for generating KEX-GEX groups (/etc/moduli) in ssh-keygen(1).
- Automatic re-keying based on amount of data sent over connection.
- New AddressFamily option on client to select protocol to use (IPv4 or IPv6).
- Experimental support for the "aes128-ctr", "aes192-ctr", and "aes256-ctr" ciphers for SSH protocol 2.
- Experimental support for host keys in DNS (draft-ietf-secsh-dns-xx.txt). Please see README.dns in the source distribution for details.
Portable OpenSSH:
- Replace PAM password authentication kludge with a more correct PAM challenge-response module from FreeBSD.
- PAM support may now be enabled/disabled at runtime using the UsePAM directive.
- Many improvements to the OpenSC smartcard support.
- Regression tests now work with portable OpenSSH. Please refer to regress/README.regress in the source distribution.
- On platforms that support it, portable OpenSSH now honors the UMASK, PATH and SUPATH attributes set in /etc/default/login.
- Deny access to locked accounts, regardless of authentication method in use.
Checksums:
==========
- MD5 (openssh-3.7.tgz) = 86864ecc276c5f75b06d4872a553fa70
- MD5 (openssh-3.7p1.tar.gz) = 77662801ba2a9cadc0ac10054bc6cb37
Reporting Bugs:
===============
- please read OpenSSH: Problem Reports and Bugzilla Main Page
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.
