OpenSSH 9.9 Released
OpenSSH 9.9, released on September 19, 2024, features post-quantum key exchange, disabled DSA signatures, removed pre-authentication compression, and various bug fixes, enhancing security and performance.
Read original article
OpenSSH 9.9 has been released as of September 19, 2024, introducing several new features and improvements. Notably, it includes support for a hybrid ML-KEM X25519 post-quantum key exchange, enhanced controls for managing unwanted connections, and a faster implementation of the NTRUPrime key exchange. The release also marks the default disabling of the DSA signature algorithm, which is set to be completely removed in early 2025 due to its inherent weaknesses. Other changes include the removal of pre-authentication compression to reduce security risks, updates to configuration directive processing, and various bug fixes aimed at improving performance and security. The OpenSSH community is acknowledged for its contributions, and users are encouraged to report bugs and consider donations to support the project. The release is available for download from the official OpenSSH website.
- OpenSSH 9.9 introduces post-quantum key exchange and improved connection controls.
- DSA signature algorithm support is disabled by default and will be removed in 2025.
- Pre-authentication compression has been removed to enhance security.
- The release includes various bug fixes and performance improvements.
- Users can download the new version from the official OpenSSH website.
Related
XZ backdoor: Hook analysis
Kaspersky experts analyzed the XZ backdoor in OpenSSH 9.7p1, revealing hidden connections, SSH authentication bypass, and remote code execution capabilities. The backdoor manipulates RSA keys, uses steganography, and executes commands.
RegreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems
A vulnerability in OpenSSH's server on glibc-based Linux systems (CVE-2024-6387) allows remote code execution. Exploiting this flaw requires precise timing. The advisory discusses exploitation details, success rates, and contacting developers for related issues.
OpenSSH Race condition resulting in potential remote code execution
OpenSSH 9.8, released on July 1, 2024, addresses critical security issues like ObscureKeystrokeTiming vulnerabilities in sshd(8) and ssh(1), plans to deprecate DSA support, and introduces penalties for failed authentications. Various improvements included.
Remote Unauthenticated Code Execution in OpenSSH Server
Qualys found regreSSHion, a critical RCE flaw in OpenSSH on glibc-based Linux systems. Over 14 million servers are at risk, with potential root access. Qualys created an exploit but delays release for patching.
Some thoughts on OpenSSH 9.8's PerSourcePenalties feature
OpenSSH 9.8 introduces PerSourcePenalties to block malicious SSH sources, allowing targeted blocking. The default penalty duration is one second, minimizing health check disruptions. Users should monitor experiences before adjusting settings.
6 comments* https://security.googleblog.com/2024/09/a-new-path-for-kyber...
Draft for adding it to TLS (1.3):
* https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe...
(Also not a cryptographer)
Probably will use this on my homelab though.
Related
XZ backdoor: Hook analysis
Kaspersky experts analyzed the XZ backdoor in OpenSSH 9.7p1, revealing hidden connections, SSH authentication bypass, and remote code execution capabilities. The backdoor manipulates RSA keys, uses steganography, and executes commands.
RegreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems
A vulnerability in OpenSSH's server on glibc-based Linux systems (CVE-2024-6387) allows remote code execution. Exploiting this flaw requires precise timing. The advisory discusses exploitation details, success rates, and contacting developers for related issues.
OpenSSH Race condition resulting in potential remote code execution
OpenSSH 9.8, released on July 1, 2024, addresses critical security issues like ObscureKeystrokeTiming vulnerabilities in sshd(8) and ssh(1), plans to deprecate DSA support, and introduces penalties for failed authentications. Various improvements included.
Remote Unauthenticated Code Execution in OpenSSH Server
Qualys found regreSSHion, a critical RCE flaw in OpenSSH on glibc-based Linux systems. Over 14 million servers are at risk, with potential root access. Qualys created an exploit but delays release for patching.
Some thoughts on OpenSSH 9.8's PerSourcePenalties feature
OpenSSH 9.8 introduces PerSourcePenalties to block malicious SSH sources, allowing targeted blocking. The default penalty duration is one second, minimizing health check disruptions. Users should monitor experiences before adjusting settings.