4.131. openssh

Updated openssh packages that resolve an issue are now available for Red Hat Enterprise Linux 5.
OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.

Bug Fix

BZ#730652
When Federal Information Processing Standards (FIPS) mode was enabled on a system, key-based authentication was always unsuccessful. This was caused by the newly introduced pubkey_key_verify() verification function, which did not take into consideration the fact that it was running in a FIPS environment. With this update, the pubkey_key_verify() function has been modified to respect FIPS, and authentication using an RSA key is now successful without any issues when FIPS mode is enabled.
All users of openssh are advised to upgrade to these updated packages, which resolve this issue.
Updated openssh packages that fix multiple bugs and add one enhancement are now available for Red Hat Enterprise Linux 5.
OpenSSH is OpenBSD's Secure Shell (SSH) protocol implementation. These packages include the core files necessary for the OpenSSH client and server.

Bug Fixes

BZ#642935
Previously, the SSH daemon (sshd) attempted to bind port 22 to both Internet Protocol version 6 (IPv6) and Internet Protocol version 4 (IPv4). As a consequence, SSH targeted IPv4 and failed to bind after the second attempt. This update uses the IPV6_V6ONLY flag to allow SSH to listen to both on IPv4 and IPv6. (BZ#640857) * Previously, SELinux denied /sbin/setfiles access to a leaked SSH tcp_socket file descriptor when requested by the restorecon command. This update modifies sshd to set the file descriptors flag FD_CLOEXEC on the socket file descriptor. Now, sshd no longer leaks any descriptor.
BZ#674747
Previously, the pubkey_key_verify() function did not detect if it was running in a Federal Information Processing Standards (FIPS) environment. As a consequence, key-based authentication failed when the FIPS mode was enabled on a system. With this update, the pubkey_key_verify() function has been modified to respect FIPS. Now, authentication using an RSA key is successful when the FIPS mode is enabled.
BZ#681291
By default, OpenSSH used the /dev/urandom file to reseed the OpenSSL random number generator. Prior to this update, this random number generator was reseeded only once when the SSH daemon service, the SSH client, or an SSH-aware utility was started. To guarantee sufficient entropy, this update modifies the underlying source code to reseed the OpenSSL random number generator periodically. Additionally, the "SSH_USE_STRONG_RNG" environment variable has been added to allow users to specify /dev/random as the random number generator.
BZ#689406
Previously, the SELinux policy did not allow to execute the passwd command from sshd directly. With this update, sshd resets the default policy behavior before executing the passwd command.
BZ#706315
Previously, the lastlog command did not correctly report the last login log when processing users with User IDs (UIDs) greater than 2147483647. This update modifies the underlying code so that lastlog now works for all users.
BZ#710229
Previously, SSH did not send or accept the LANGUAGE environment variable. This update adds the SendEnv LANGUAGE option to the SSH configuration file and the AcceptEnv option to the sshd configuration file. Now, the environment variable LANGUAGE is send and received.
BZ#731925
Previously, running the mdoc option "groff -m" on OpenSSH manual pages caused formatting errors. This update modifies the manual page formatting. Now, the mdoc option "groff -m" runs as expected.
BZ#731930
Prior to this update, the ssh-copy-id script wrongly copied the identity.pub key instead of the id_rsa.pub key. This update modifies the underlying code so that ssh-copy-id now copies by default the id_rsa.pub key.
BZ#750725
Previously, SSH clients could, under certain circumstances, wait indefinitely at atomicio() in ssh_exchange_identification() when the SSH server stopped responding. This update uses the ConnectTimeout parameter to stop SSH clients from waiting after timeout.

Enhancement

BZ#720598
With this update the umask feature was added to the sftp subsystem to create a secure file transfer environment using the sftp service.
All users of openssh are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.