OpenSSH-4.5p1 / Security fixes

[dnicholson@…]

OpenSSH 4.4p1 has been released. It fixes three security issues as well as adding some features.

​http://www.openssh.com/txt/release-4.4

Now OpenSSH 4.5p1 with some additional security fixes

​http://www.openssh.com/txt/release-4.5

[Randy McMurchy]

I'm thinking the most prudent thing to do is update this package. The vulnerabilities need to be addressed. If someone is already using this version without issues, I can update the BLFS book easy enough.

Otherwise, let's hope that someone can update to this version and test things out a bit. To me, simply starting the daemon and connecting from another host and then using the client to connect to a remote daemon should be enough.

I suppose the only concern would be to ensure that this new version is backward compatible with previous versions (though I can't imagine that it is not).

[alexander@…]

The SVN version of the LiveCD has this package. Basic testcases such as "connect to another host", "start a server and let the user log in using a password", "forward a local port", "get a warning on host key change" pass. However, I don't think that testing by two people in VMware is sufficient to let the package in.

Please test at least the following before letting the package in:

• syslogging of failed connections with/without PAM, with password and/or public key
• remote and dynamic port forwarding
• X forwarding
• restrictions on public keys in .authorized_keys file

[dnicholson@…]

It's working fine so far for me, but I don't do anything special with it. I've tested with PAM for failed logins w/ password & public keys. I've tested X forwarding over PAM. So far, everything's fine. I'm not too good with port forwarding, so it'd be better if someone else checked this out.

[bdubbs@…]

Fixed at revision 6385.