Latest upstream release: 6.9p1 Current version/release in rawhide: 6.8p1-9.fc23 URL: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.
Created attachment 1045050 [details] [patch] Update to 6.9p1 (#1238253)
Scratch build failed http://koji.fedoraproject.org/koji/taskinfo?taskID=10259348
jjelen's openssh-6.9p1-1.fc23 completed http://koji.fedoraproject.org/koji/buildinfo?buildID=666339
openssh-6.9p1-1.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/openssh-6.9p1-1.fc22
Can this land in Fedora 21 as well?
Package openssh-6.9p1-1.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openssh-6.9p1-1.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-11063/openssh-6.9p1-1.fc22 then log in and leave karma (feedback).
Hi Allen, Fedora 21 has version 6.6.1p1 which is 3 minor version behind upstream. I don't plan update openssh there to keep at least some stability. I fixed there only the security problems provided in the this version. Are you aiming for some specific feature?
Hi Jakub, Woops. I misread the 6.9 release notes. I thought chacha20-poly1305 was *added* but in fact it was *promoted* to the default crypto. But from 6.7: * sftp(1): Allow resumption of interrupted uploads. And from 6.8: * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based authentication. Is any update out of the question? How about an update to 6.8p1?
Yes, it was only promoted as a default cipher to slowly obsolete openssl. Your mentioned bugfixes seems to be reasonable to have also in Fedora 21. In openssh-6.8 there was quite much of refactoring and changes in default that can be potentially harmful: * sshd(8): UseDNS now defaults to 'no'. Configurations that match against the client host name (via sshd_config or authorized_keys) may need to re-enable it or convert to matching against addresses. And new features changing behaviour: * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent command-line flags to the other tools to control algorithm used for key fingerprints. The default changes from MD5 to SHA256 and format from hex to base64. Fingerprints now have the hash algorithm prepended. An example of the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE Please note that visual host keys will also be different. And in openssh-6.7 few more: * sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options. * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the curve25519-sha256 KEX exchange method to fail when connecting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions. For now, as it was announced, in F21 will land only security update and I will consider rebasing to 6.9 also there with maintaining compatible setup, if possible.
In order to follow the updates policy [1] and given changes described in comment 9, I would be against updating openssh in Fedora 21 as it's considered as stable system and even not the newest stable which is Fedora 22 right now. [1] https://fedoraproject.org/wiki/Updates_Policy#Stable_Releases
Jakub/Petr, No update then. I can make do on my own with other means. Thanks for the consideration.
We were talking about this with Petr. The update is not the way to go based on Update Policy in Fedora 21. But I created copr repo with current openssh-6.9 for the people who wants bleeding edge openssh, but not whole system and who don't care about backward compatibility: https://copr.fedoraproject.org/coprs/jjelen/openssh-latest/ maybe better than letting users to build it on their own.
openssh-6.9p1-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Jakub, That's exactly what I was going to do. I also have my own Koji cooker. Thanks!
I just updated on Fedora 22 x64 with DNF and I got the openssh x86_64 6.9p1-1.fc22 updates 443 k openssh-clients x86_64 6.9p1-1.fc22 updates 643 k openssh-server x86_64 6.9p1-1.fc22 It completelly made 4 linux servers lemons. I can no longer ssh with putty into them and one of the system was doing rounting and it is no longer doing it. I do not understand what happened as it was perfectly working with openssh-clients-6.8p1-8.fc22.x86_64 4/6 openssh-server-6.8p1-8.fc22.x86_64 5/6 openssh-6.8p1-8.fc22.x86_64 I can only ssh from linux to linux, but not from putty to linux. What can be done to fix this?
Bogdan, This ticket is closed but I found this in the OpenSSH 6.9p1 release notes (1): Bugfixes -------- * ssh(1), sshd(8): deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message and do not try to use it against some 3rd-party SSH implementations that use it (older PuTTY, WinSCP). Is there an update to PuTTY? Have you tried to change around the key exchange algorithms in PuTTY to see if you can get it to work? 1) http://www.openssh.com/txt/release-6.9