Language Selection

English French German Italian Portuguese Spanish

OpenSSH 8.0 released

Filed under
Security
BSD

This release contains mitigation for a weakness in the scp(1) tool
and protocol (CVE-2019-6111): when copying files from a remote system
to a local directory, scp(1) did not verify that the filenames that
the server sent matched those requested by the client. This could
allow a hostile server to create or clobber unexpected local files
with attacker-controlled content.

This release adds client-side checking that the filenames sent from
the server match the command-line request,

The scp protocol is outdated, inflexible and not readily fixed. We
recommend the use of more modern protocols like sftp and rsync for
file transfer instead.

Read more

Written by Michael Larabel hours later

  • OpenSSH 8.0 Released - Addresses SCP Vulnerability, New SSH Additions

    Theo de Raadt and the OpenBSD developers maintaining OpenSSH today unveiled OpenSSH 8.0.

    OpenSSH 8.0 does have an important security fix if you use scp for copying files to/from remote systems. Up until now when copying files from remote systems to a local directory, SCP was not verifying the filenames of what was being sent from the server to client and that could allow a hostile server to create or clobber unexpected local files with attack-controlled data regardless of what file(s) were actually requested for copying from the remote server.

OpenSSH 8.0 released

  • OpenSSH 8.0 released

    OpenSSH 8.0 has just been released. It will be available from the
    mirrors listed at http://www.openssh.com/ shortly.

    OpenSSH is a 100% complete SSH protocol 2.0 implementation and
    includes sftp client and server support.

    Once again, we would like to thank the OpenSSH community for their
    continued support of the project, especially those who contributed
    code or patches, reported bugs, tested snapshots or donated to the
    project. More information on donations may be found at:
    http://www.openssh.com/donations.html

OpenSSH 8.0 released

  • OpenSSH 8.0 released; addresses SCP vulnerability and new SSH additions

    Theo de Raadt and the OpenBSD developers who maintain the OpenSSH, today released the latest version OpenSSH 8.0.

    OpenSSH 8.0 has an important security fix for a weakness in the scp(1) tool when you use scp for copying files to/from remote systems. Till now when copying files from remote systems to a local directory, SCP was not verifying the filenames of what was being sent from the server to client. This allowed a hostile server to create or clobber unexpected local files with attack-controlled data regardless of what file(s) were actually requested for copying from the remote server. OpenSSH 8.0 adds client-side checking that the filenames sent from the server match the command-line request.

    While this client-side checking added to SCP, the OpenSSH developers recommend against using it and instead use sftp, rsync, or other alternatives. “The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead.“, mention OpenSSH developers.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Network Security Toolkit 30-11210

We are pleased to announce the latest NST release: "NST 30 SVN:11210". This release is based on Fedora 30 using Linux Kernel: "kernel-5.1.17-300.fc30.x86_64". This release brings the NST distribution on par with Fedora 30. Read more

Univention Corporate Server 4.4-1/Point Release UCS 4.4-1: performance improvements, app recommendations and UDM REST API Beta

There are significant performance improvements for managing the contents of the directory service via UDM, especially for application scenarios with complex structures. There have also been further minor improvements in DNS management, where the search for IP addresses is now enabled in further modules, as well as in the use of standard containers of domain controller objects. A brand new feature is the REST API for UDM, which considerably facilitates the integration of UDM with other applications. This REST API has been released as beta version for the time being. After further tests and improvements we plan to release a stable version in autumn. Read more

Proxmox VE 6.0 released!

We're excited to announce the final release of our Proxmox VE 6.0! It's based on the great Debian 10 codename "Buster" and the latest 5.0 Linux kernel, QEMU 4.0, LXC 3.1.0, ZFS 0.8.1, Ceph 14.2, Corosync 3.0, and more. This major release includes the latest Ceph Nautilus feautures and an improved Ceph management dashboard. We have updated the cluster communication stack to Corosync 3 using Kronosnet, and have a new selection widget for the network making it simple to select the correct link address in the cluster creation wizard. With ZFS 0.8.1 we have included TRIM support for SSDs and also support for native encryption with comfortable key-handling. Read more

today's howtos