We currently have OpenSSH 9.0p1 in ThinLinc. The latest stable version is 9.6p1, and there have been some security fixes since our last upgrade. Some of those fixes might be relevant for us.
There doesn't seem to be anything relevant for us since our last upgrade. But it's probably best to stay in sync anyway: 9.2p1 fixed an issue in the SOCKS proxy, something we do not use. 9.2p1 also fixed issues with the hostname canonicalization, which we also do not use. 9.3p1 fixes an issue with getting host keys via DNS, a feature we do not support (bug 4706). 9.5p1 adds extra protection to make it difficult to detect keystrokes. It doesn't look like it will affect us, though, as it seems to only be for the normal TTY channel. 9.6p1 fixes a security issue that only seems to affect the above mentioned keystrokes obfuscation. 9.6p1 also has some fixes when ssh runs external commands, something we do not use.
Tested client build 3369 on Windows 10 & 11, macOS (x86 & arm) and Fedora 38 on a server running build 3471 on Fedora 38: Authentication | Win64 | macOS | Fedora 38 | ----------------+-------+-------+-----------+ Kerberos | X | X | X | ----------------+-------+-------+-----------+ Smart card | X | X | X | ----------------+-------+-------+-----------+ SSH key | X | X | X | ----------------+-------+-------+-----------+ Password | X | X | X | Also tested client build 3369 on Fedora 38 on a server running build 3471 on SLES 12: Authentication | Fedora 38 | ----------------+-----------+ Kerberos | * | ----------------+-----------+ Smart card | X | ----------------+-----------+ SSH key | X | ----------------+-----------+ Password | X | * Didn't manage to set up Kerberos properly on SLES 12. Everything working as expected.
I also tested sound redirection from a Fedora 38 client to a Fedora 39 server.
I can't see anything in OpenSSH's release notes that will be noticable by our users, so I'll omit release notes for this bug.
Everything should now be upgraded and working well: > MUST: > > * OpenSSH included in ThinLinc should not have any known security issues > affecting ThinLinc users > We did not find anything relevant among the OpenSSH release notes. > SHOULD: > > * The latest stable OpenSSH should be included in ThinLinc Yup, we're now using the latest version. This can be confirmed in the client log files.
I also tested that local drives work as expected. Client running on Fedora 39 and server running on RHEL 8.
Verify: ####### > MUST: > * OpenSSH included in ThinLinc should not have any known security > issues affecting ThinLinc users ✅ There is one known vulnerability, CVE-2023-51767, which affects versions through 9.6p1. But the components reported as vulnerable are not used in tlclient. > SHOULD: > * The latest stable OpenSSH should be included in ThinLinc ✅ Running tlclient in debug mode results in the following line in tlclient.log: > 2024-01-05T13:18:39: ssh[E]: OpenSSH_9.6p1, OpenSSL 3.2.0 23 Nov 2023 We also looked through the commits that relate to signal handling on Windows, and they all look good, and were tested as of comment 8. Closing!
