Slackware64-13.37 ChangeLog (2016-01-15)

Fri Jan 15 02:29:54 UTC 2016

Upgraded

  • patches/packages/openssh-7.1p2-x86_64-1_slack13.37.txz
    This update fixes an information leak and a buffer overflow. In particular,
    the information leak allows a malicious SSH server to steal the client's
    private keys. Thanks to Qualys for reporting this issue.
    For more information, see:
    https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0778
    *
    * IMPORTANT: READ BELOW ABOUT POTENTIALLY INCOMPATIBLE CHANGES *
    *
    Rather than backport the fix for the information leak (which is the only
    hazardous flaw), we have upgraded to the latest OpenSSH. As of version
    7.0, OpenSSH has deprecated some older (and presumably less secure)
    algorithms, and also (by default) only allows root login by public-key,
    hostbased and GSSAPI authentication. Make sure that your keys and
    authentication method will allow you to continue accessing your system
    after the upgrade.
    The release notes for OpenSSH 7.0 list the following incompatible changes
    to be aware of:
    * Support for the legacy SSH version 1 protocol is disabled by
    default at compile time.
    * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
    is disabled by default at run-time. It may be re-enabled using
    the instructions at http://www.openssh.com/legacy.html
    * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
    by default at run-time. These may be re-enabled using the
    instructions at http://www.openssh.com/legacy.html
    * Support for the legacy v00 cert format has been removed.
    * The default for the sshd_config(5) PermitRootLogin option has
    changed from “yes” to “prohibit-password”.
    * PermitRootLogin=without-password/prohibit-password now bans all
    interactive authentication methods, allowing only public-key,
    hostbased and GSSAPI authentication (previously it permitted
    keyboard-interactive and password-less authentication if those
    were enabled).
    (* Security fix *)