Download OpenSSH 5.2

OpenSSH is an implementation of the ssh protocol, which allows encrypted connections between (usually) *nix machines. The program is seen by many as a more secure alternative to telnet and rlogin. The developers behind OpenSSH have released a new stable build in the form of version 5.2. The new version can be downloaded here and takes up approximately 477 kilobytes of disk space as a tarball. The OpenSSH 5.2 changelog looks like this:

Security:

• This release changes the default cipher order to prefer the AES CTR modes and the revised “arcfour256” mode to CBC mode ciphers that are susceptible to CPNI-957037 “Plaintext Recovery Attack Against SSH”.
• This release also adds countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol’s use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behavior that leaked information about the plaintext of injected data which formed the basis of this attack. We believe that these attacks are rendered infeasible by these changes.

New features:

• Added a -y option to ssh(1) to force logging to syslog rather than stderr, which is useful when running daemonised (ssh -f)
• The sshd_config(5) ForceCommand directive now accepts commandline arguments for the internal-sftp server.
• The ssh(1) ~C escape commandline now support runtime creation of dynamic (-D) port forwards.
• Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards. (bz#1482)
• Support remote port forwarding with a listen port of ‘0’. This informs the server that it should dynamically allocate a listen port and report it back to the client. (bz#1003)
• sshd(8) now supports setting PermitEmptyPasswords and AllowAgentForwarding in Match blocks

Bug and documentation fixes

• Repair a ssh(1) crash introduced in openssh-5.1 when the client is sent a zero-length banner (bz#1496)
• Due to interoperability problems with certain broken SSH implementations, the eow@openssh.com and no-more-sessions@openssh.com protocol extensions are now only sent to peers that identify themselves as OpenSSH.
• Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering ‘Non-public channel’ error messages on sshd(8) in openssh-5.1.
• Avoid printing ‘Non-public channel’ warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behavior introduced in openssh-5.1).
• Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)
• Correct fail-on-error behavior in sftp(1) batchmode for remote stat operations. (bz#1541)
• Disable nonfunctional ssh(1) ~C escape handler in multiplex slave connections. (bz#1543)
• Avoid hang in ssh(1) when attempting to connect to a server that has MaxSessions=0 set.
• Multiple fixes to sshd(8) configuration test (-T) mode
• Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418, 1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540
• Many manual page improvements.