OpenSSH 10.3 - Patches Security Bugs and Drops Rekeying Support
Basically, OpenSSH fixed security issues and stopped supporting old versions.
OpenSSH 10.3 has launched with five security fixes and dropped support for legacy rekeying. This change affects older SSH implementations, risking compatibility issues. Users should upgrade to avoid vulnerabilities.
What Happened
OpenSSH 10.3 has been released, introducing five critical security fixes along with new features and behavior changes. One of the major changes is the removal of legacy rekeying support, which means older SSH clients and servers that do not support rekeying will fail to interoperate with OpenSSH going forward. This change could disrupt many deployments still using outdated SSH software.
The Flaw
Among the five vulnerabilities patched, one notable issue is a validation timing flaw in the SSH client. This flaw allowed shell metacharacters in usernames to be expanded via % tokens in ssh_config, potentially enabling attackers to execute arbitrary shell commands. Additionally, a bug in sshd led to incorrect matching of authorized keys, which could allow unauthorized access under certain conditions.
What's at Risk
The vulnerabilities primarily affect users who rely on SSH for secure communications. If an attacker can manipulate usernames or exploit the certificate matching bug, they could gain unauthorized access to systems. The removal of legacy rekeying support may also leave older systems vulnerable if they cannot upgrade to compatible versions.
Patch Status
OpenSSH has addressed these vulnerabilities in the 10.3 release. Users are strongly encouraged to upgrade to this version to mitigate risks associated with the identified flaws. The project has also standardized how empty principals in certificates are treated, ensuring better security practices.
Immediate Actions
- Upgrade to OpenSSH 10.3 to ensure you have the latest security fixes.
- Verify that your SSH clients and servers support rekeying before upgrading.
- Review your configurations to ensure they do not expose command-line arguments to untrusted input.
Conclusion
The release of OpenSSH 10.3 marks a significant step in enhancing security while phasing out outdated practices. Users must be proactive in upgrading and ensuring their systems are compatible with the latest standards to maintain secure operations.