We currently have OpenSSH 9.6p1 in ThinLinc. The latest stable version is 9.8p1, and there have been some security fixes since our last upgrade. Some of those fixes might be relevant for us: https://www.openssh.com/releasenotes.html
9.8 includes two security fixes: * (major) Race condition that may allow ACE with root privileges. This attack has been demonstrated on 32-bit Linux with glibc and ASLR. Exploits on 64-bit seems theoretically possible, but has not been demonstrated. In the 32-bit demonstration, it required 6-8 hours of continuous connections. This is likely unfeasible to do in practice. * (minor) The feature ObscureKeystrokeTiming, which is active by default, was ineffective due to a logical error introduced in 9.5. 9.7 doesn't seem to include any security fixes. Overall, the impact not critical.
Updated to 9.8p1 and tested the following: Tested password, smart card, public key, and kerberos authentication on: * Windows 11 * RHEL 9 * macOS 14.5 against a server on RHEL 9. Also tested that the patches for bug 7623 and bug 7624 still work (with x86 windows client). Things work as expected. > MUST: > ✅ OpenSSH included in ThinLinc should not have any known security issues > affecting ThinLinc users There are no vulnerabilities listed on https://www.openssh.com/security.html for 9.8p1, and did not find anything anywhere else. > SHOULD: > ✅ The latest stable OpenSSH should be included in ThinLinc 9.8p1 is the latest stable version.
Our customization of OpenSSH seems to have been preserved, except two things: 1. Indentation in kex_assemble_names() got messed up a bit 2. read_passphrase() no longer sets rppflags correctly
(In reply to Pierre Ossman from comment #5) > Our customization of OpenSSH seems to have been preserved, except two things: > > 1. Indentation in kex_assemble_names() got messed up a bit > 2. read_passphrase() no longer sets rppflags correctly This has been fixed as of r41112.
OpenSSH plans to deprecate DSA signatures in the future and have disabled it by default at compile time this release. DSA keys have been disabled in run-time since 2015 already.
We have patches to still support DSA keys (done as part of bug 4568). If we want to follow upstream and completely remove support for DSA, we should remove our patches as well. OpenSSH announced that DSA will be completely removed by 2025/01 [1], meaning we could probably remove our patches in the 4.18.0 (or 4.19.0) release. [1] https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-January/041132.html
(In reply to Adam Halim from comment #10) > We have patches to still support DSA keys (done as part of bug 4568). If we > want to follow upstream and completely remove support for DSA, we should > remove our patches as well. > > OpenSSH announced that DSA will be completely removed by 2025/01 [1], > meaning we could probably remove our patches in the 4.18.0 (or 4.19.0) > release. Broken out to bug 8403.
Our changes are now fully preserved. Changes compared to upstream also look sane. Tested connecting to RHEL 8 and Ubuntu 24.04 with password. Also played Youtube in Firefox. Clients were Fedora 39, Windows 11 and macOS 14. No issues seen. (except bug 8404) I also tested configuring Google Authenticator on Ubuntu 24.04 and connected from Fedora 39. No issues there either. > MUST: > > * OpenSSH included in ThinLinc should not have any known security issues affecting ThinLinc users We are using the latest version, so we should have all known fixes. > SHOULD: > > * The latest stable OpenSSH should be included in ThinLinc Indeed we do, 9.8p1.
