From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <corinna-cygwin@cygwin.com>
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.134])
 by sourceware.org (Postfix) with ESMTPS id 2E1D53858C3A
 for <cygwin-announce@cygwin.com>; Wed, 20 Oct 2021 07:51:41 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 2E1D53858C3A
Received: from calimero.vinschen.de ([24.134.7.25]) by
 mrelayeu.kundenserver.de (mreue009 [212.227.15.167]) with ESMTPSA (Nemesis)
 id 1N49Yn-1mlSIs3TdJ-0102AA for <cygwin-announce@cygwin.com>; Wed, 20 Oct
 2021 09:51:39 +0200
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
 by calimero.vinschen.de (Postfix) with ESMTP id 50723A8045D
 for <cygwin-announce@cygwin.com>; Wed, 20 Oct 2021 09:51:39 +0200 (CEST)
X-Mailbox-Line: From cygwin-announce-openssh-8.8p1-1 Wed Oct 20 09:50:24 2021
From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: cygwin-announce@cygwin.com
Date: Wed, 20 Oct 2021 09:50:24 +0200
Message-Id: <20211020095024.831855-1-corinna-cygwin@cygwin.com>
Subject: openssh 8.8p1-1
X-Provags-ID: V03:K1:G26YtQIazhbK2Fj6Cp4H9GxGHozS/AeWZrlQ8/iB6ftu96aI5EF
 Wk8ol2ibMs4fIZcjqcpnPWOg0XDnbJyKBKwVQXrwLudjG/DFsCZ15I/DWItQLXa7hJKpJzu
 ho6fK7owBUwbEXmeYCdEfpD595yT3sStINmeVnDCvankSx+DOY8wrQLQjxKpGb9xdr8ZmVV
 yQl/ZzqmSmicOIMowqpkg==
X-UI-Out-Filterresults: notjunk:1;V03:K0:lndseRn5Les=:BQ+YBp5M0P8aebH4woKgPW
 LaKbjeN/Fv8lQKEvKk8SpbtyIzTid12vlq5jsWotJuWsto6GM39wougxWCNXlf+QDNV+qTgI2
 n55WMXOs3RLGRL4pGOuEm4T/fPvVn9tpyEEJYYCID4VQoLYUZTNnfMoTBBHUKLjKaSqSKjpLh
 v8/g9H/IYfdFbEQ4a6qDRwL4X9644eauVJzrmuYctY5RdaNYz73HO4FerYpc60c+EUp/sbw3S
 Kjqr7/u3eap8yBstAQJVQ5kj0RBZmoOIsHVDIU7aZpcjIrg1NhGKvk71RZP9NrbFVfajcXyTT
 WjnptjYH6FoNTFC1WC60CqRFfeaaa30GyJVYvwsPsGqjl6o1P7q3Q8lm2uqRQ9c2wjIrRI28a
 CnDTNPZEzndKL1McmNVws8wp/igw1Kc4AkGFFimuFuCm5DZCelLfPOeoMwjP1y51o2/4RkJTd
 O3ouFuNmX+4gRf4O3u4AVYSGvh2ZOyKF3d4MoeuBq24P6qfeVM+e9jV7VxBAV9wsFbr9d8VU9
 o2z5/iQuqH7QtkPlIlx9oYFBYa88JJUoyIxaH6FYF/FE87/rQWFGpyXUBzsysAgg4YPyjBaJ3
 +EIuAhjuaQFoDE38ziMwRWpnaWbVsQevA//OdW0qCicHgcRQO8nTLbsBGLoMY2KNRKOcVBTV4
 r4ZoUWX/j6e5mSiEjmsBVJA461FLzW+WZJkizTBQS/cywd6A8KiREi1+/UlOwVFhFQytJPMWr
 FVeapc1KB3cHES9ffwjl/EfwaP+7xqGEOgBGByFNfHqgefgNdkQXk5gBQPs=
X-Spam-Status: No, score=-98.3 required=5.0 tests=BAYES_00,
 GOOD_FROM_CORINNA_CYGWIN, KAM_ASCII_DIVIDERS, KAM_DMARC_NONE, KAM_DMARC_STATUS,
 KAM_NUMSUBJECT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,
 SPF_HELO_NONE, SPF_NEUTRAL,
 TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: cygwin-announce@cygwin.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Read-only mailing list announcing new and updated Cygwin packages
 <cygwin-announce.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin-announce>,
 <mailto:cygwin-announce-request@cygwin.com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin-announce/>
List-Help: <mailto:cygwin-announce-request@cygwin.com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin-announce>,
 <mailto:cygwin-announce-request@cygwin.com?subject=subscribe>
X-List-Received-Date: Wed, 20 Oct 2021 07:51:43 -0000

The following packages have been uploaded to the Cygwin distribution:

* openssh-8.8p1-1

OpenSSH is a program for logging into a remote machine and for
	executing commands on a remote machine.  It can replace rlogin and rsh,
	providing encrypted communication between two machines.

Official release message:

-----------------------------------------------------------------------------

OpenSSH 8.8 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Future deprecation notice
=========================

A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug- compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.

Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path@openssh.com" to support
this.

Security
========

sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
supplemental groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the
command as a different user. Instead these commands would inherit
the groups that sshd(8) was started with.

Depending on system configuration, inherited groups may allow
AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
gain unintended privilege.

Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
enabled by default in sshd_config(5).

Potentially-incompatible changes
================================

This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]

For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.

Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:

    Host old-host
        HostkeyAlgorithms +ssh-rsa
        PubkeyAcceptedAlgorithms +ssh-rsa

We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

Changes since OpenSSH 8.7
=========================

This release is motivated primarily by the above deprecation and
security fix.

New features
------------
 * ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs
   directive to accept a "none" argument to specify the default
   behaviour.

Bugfixes
--------

 * scp(1): when using the SFTP protocol, continue transferring files
   after a transfer error occurs, better matching original scp/rcp
   behaviour.

 * ssh(1): fixed a number of memory leaks in multiplexing,

 * ssh-keygen(1): avoid crash when using the -Y find-principals
   command.

 * A number of documentation and manual improvements, including
   bz#3340, PR#139, PR#215, PR#241, PR#257

Portability
-----------

 * ssh-agent(1): on FreeBSD, use procctl to disable ptrace(2)

 * ssh(1)/sshd(8): some fixes to the pselect(2) replacement
   compatibility code. bz#3345

Checksums:
==========

 - SHA1 (openssh-8.8.tar.gz) = 732947082a8998047e839cc0b4c066bf0a7e1a5b
 - SHA256 (openssh-8.8.tar.gz) = AngyrPSQH255hnzU1l7y+LlVAUNcGWtuYQIFEl22nRo=

 - SHA1 (openssh-8.8p1.tar.gz) = 1eb964897a4372f6fb96c7effeb509ec71c379c9
 - SHA256 (openssh-8.8p1.tar.gz) = RZCJDqm7ms5Pca4zF4WjpYIyMkNRYZYO1fyGWI8zH+k=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

Please note that the OpenPGP key used to sign releases has been
rotated for this release. The new key has been signed by the previous
key to provide continuity.

Reporting Bugs:
===============

- Please read https://www.openssh.com/report.html
  Security bugs should be reported directly to openssh@openssh.com