Thema: SSH/SSL/VPN Tools...

[SiLæncer]

What's new: >>

Bug fix: Memory leak into auto-password management feature.
New feature: Pause can be included into port knocking sequence.

http://www.9bis.net/kitty/?page=Welcome&zone=en

[SiLæncer]

Changelog

Andris Kalnozols (2):
      Fix some typos in the man page.
      Do not upcase x509-username-field for mixed-case arguments.

Arne Schwabe (1):
      Fix server routes not working in topology subnet with --server [v3]

David Sommerseth (4):
      Improve error reporting on file access to --client-config-dir and --ccd-exclusive
      Don't let openvpn_popen() keep zombies around
      Add systemd unit file for OpenVPN
      systemd: Use systemd functions to consider systemd availability

Gert Doering (4):
      Drop incoming fe80:: packets silently now.
      Fix t_lpback.sh platform-dependent failures
      Call init script helpers with explicit path (./)
      Preparing for release v2.3.5 (ChangeLog, version.m4)

Heiko Hund (1):
      refine assertion to allow other modes than CBC

Hubert Kario (2):
      ocsp_check - signature verification and cert staus results are separate
      ocsp_check - double check if ocsp didn't report any errors in execution

James Bekkema (1):
      Fix socket-flag/TCP_NODELAY on Mac OS X

James Yonan (6):
      Fixed several instances of declarations after statements.
      In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.
      Explicitly cast the third parameter of setsockopt to const void * to avoid warning.
      MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.
      Define PATH_SEPARATOR for MSVC builds.
      Fixed some compile issues with show_library_versions()

Jann Horn (1):
      Remove quadratic complexity from openvpn_base64_decode()

Mike Gilbert (1):
      Add configure check for the path to systemd-ask-password

Philipp Hagemeister (2):
      Add topology in sample server configuration file
      Implement on-link route adding for iproute2

Samuel Thibault (1):
      Ensure that client-connect files are always deleted

Steffan Karger (13):
      Remove function without effect (cipher_ok() always returned true).
      Remove unneeded wrapper functions in crypto_openssl.c
      Fix bug that incorrectly refuses oid representation eku's in polar builds
      Update README.polarssl
      Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
      Add proper check for crypto modes (CBC or OFB/CFB)
      Improve --show-ciphers to show if a cipher can be used in static key mode
      Extend t_lpback tests to test all ciphers reported by --show-ciphers
      Don't exit daemon if opening or parsing the CRL fails.
      Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
      Fix regression with password protected private keys (polarssl)
      ssl_polarssl.c: fix includes and make casts explicit
      Remove unused variables from ssl_verify_openssl.c extract_x509_extension()

TDivine (1):
      Fix "code=995" bug with windows NDIS6 tap driver.

[close]

http://openvpn.net/

[SiLæncer]

New features

    Several SMTP server protocol negotiation improvements.
    Added UTF-8 byte order marks to stunnel.conf templates.
    DH parameters are no longer generated by "make cert". The hardcoded DH parameters are sufficiently secure, and modern TLS implementations will use ECDH anyway.
    Updated manual for the "options" configuration file option.
    Added support for systemd 209 or later.
    New --disable-systemd ./configure option.
    setuid/setgid commented out in stunnel.conf-sample.

Bugfixes

    Added support for UTF-8 byte order mark in stunnel.conf.
    Compilation fix for OpenSSL with disabled SSLv2 or SSLv3.
    Non-blocking mode set on inetd and systemd descriptors.
    shfolder.h replaced with shlobj.h for compatibility with modern Microsoft compilers.

https://www.stunnel.org/index.html

[SiLæncer]

Whats new: >>

Fixed a bug in the data socket that could cause slow downloads in certain network conditions

http://www.extenua.com/silvershield

[SiLæncer]

SmarTTY is an SSH client for Windows that supports multiple tabs, transferring files and entire directories via SCP and on-the-fly tar, automatic public key authentication setup, seamless X11 forwarding any many more features.

Freeware

http://smartty.sysprogs.com/

[SiLæncer]

What's new: >>

The Hyperlink patch from NuTTY (http://groehn.net/nutty/) was included into KiTTY a long time ago.
This patch was "buggy" !
the specific regular expression managment functions have a memory leak
the default regex was not right
In certain conditions, software crashes may occur.
We finally decided to rewrite the regex managment functions, using GNU libregex.a library. In the same time we modify the default regex with a more efficient once.
We also provide a new option -hyperlinkfix to generate a .reg file in order to change the regex in all sessions settings for people who save the previous buggy one.

Beside these modification we also fix some minor issues:

bug fix: "Window has Close button" option did not work at startup, but only after reconfiguration
bug fix: into registry file kitty.sav (auto saving of the KiTTY registry content), REG_DWORD type fields were not saved correctly

http://www.9bis.net/kitty/?page=Welcome&zone=en

[SiLæncer]

Whats new:>>

This release fixes a critical denial of service vulnerability in OpenVPN servers (CVE-2014-8104). The vulnerability only be exploited by authenticated clients only. Also note that confidentiality and authenticity of traffic are not affected.

http://openvpn.net/

[SiLæncer]

New features:

Updated automake to version 1.14.1.
OpenSSL directory searching is now relative to the sysroot.

Bug fixes:

Fixed improper hangup condition handling.

https://www.stunnel.org/index.html

[SiLæncer]

SSH-Server für Windows-Systeme

kostenlos (für privaten Gebrauch)

Whats new: >>

Security fix: Updated bash to fix shellshock and associated bugs
Security fix: Updated OpenSSL/OpenSSH
Improvement: Enhanced listing of Active Directory users
Improvement: Enhanced startup speed and cleaning of old files

http://mobassh.mobatek.net/

[SiLæncer]

Changelog

New features:

Added PSK authentication with two new service-level configuration file options "PSKsecrets" and "PSKidentity".
Added additional security checks to the OpenSSL memory management functions.
Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE OpenSSL configuration flags.
Added compatibility with the current OpenSSL 1.1.0-dev tree.

Bugfixes:

Removed defective s_poll_error() code occasionally causing connections to be prematurely closed (truncated). This bug was introduced in stunnel 4.34.
Fixed ./configure systemd detection (thx to Kip Walraven).
Fixed ./configure sysroot detection (thx to Kip Walraven).
Fixed compilation against old versions of OpenSSL.
Removed outdated French manual page.

[close]

https://www.stunnel.org/index.html

[SiLæncer]

Changelog

OpenSSL Security Advisory [08 Jan 2015]
=======================================

DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)
===========================================================

Severity: Moderate

A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due
to a NULL pointer dereference. This could lead to a Denial Of Service attack.

This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k.
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p.
OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 22nd October 2014 by Markus Stenberg of
Cisco Systems, Inc. The fix was developed by Stephen Henson of the OpenSSL
core team.

DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)
=======================================================

Severity: Moderate

A memory leak can occur in the dtls1_buffer_record function under certain
conditions. In particular this could occur if an attacker sent repeated DTLS
records with the same sequence number but for the next epoch. The memory leak
could be exploited by an attacker in a Denial of Service attack through memory
exhaustion.

This issue affects OpenSSL versions: 1.0.1 and 1.0.0.

OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k.
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p.

This issue was reported to OpenSSL on 7th January 2015 by Chris Mueller who also
provided an initial patch. Further analysis was performed by Matt Caswell of the
OpenSSL development team, who also developed the final patch.

no-ssl3 configuration sets method to NULL (CVE-2014-3569)
=========================================================

Severity: Low

When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is
received the ssl method would be set to NULL which could later result in
a NULL pointer dereference.

This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 17th October 2014 by Frank Schmirler. The
fix was developed by Kurt Roeckx.


ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)
==========================================================

Severity: Low

An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite
using an ECDSA certificate if the server key exchange message is omitted. This
effectively removes forward secrecy from the ciphersuite.

This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.


RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
==============================================================

Severity: Low

An OpenSSL client will accept the use of an RSA temporary key in a non-export
RSA key exchange ciphersuite. A server could present a weak temporary key
and downgrade the security of the session.

This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.


DH client certificates accepted without verification [Server] (CVE-2015-0205)
=============================================================================

Severity: Low

An OpenSSL server will accept a DH certificate for client authentication
without the certificate verify message. This effectively allows a client
to authenticate without the use of a private key. This only affects servers
which trust a client certificate authority which issues certificates
containing DH keys: these are extremely rare and hardly ever encountered.

This issue affects OpenSSL versions: 1.0.1 and 1.0.0.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.

This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team.


Certificate fingerprints can be modified (CVE-2014-8275)
========================================================

Severity: Low

OpenSSL accepts several non-DER-variations of certificate signature
algorithm and signature encodings. OpenSSL also does not enforce a
match between the signature algorithm between the signed and unsigned
portions of the certificate. By modifying the contents of the
signature algorithm or the encoding of the signature, it is possible
to change the certificate's fingerprint.

This does not allow an attacker to forge certificates, and does not
affect certificate verification or OpenSSL servers/clients in any
other way. It also does not affect common revocation mechanisms. Only
custom applications that rely on the uniqueness of the fingerprint
(e.g. certificate blacklists) may be affected.

This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and
0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

One variant of this issue was discovered by Antti Karjalainen and
Tuomo Untinen from the Codenomicon CROSS program and reported to
OpenSSL on 1st December 2014 by NCSC-FI Vulnerability
Co-ordination. Another variant was independently reported to OpenSSL
on 12th December 2014 by Konrad Kraszewski from Google. Further
analysis was conducted and fixes were developed by Stephen Henson of
the OpenSSL core team.

Bignum squaring may produce incorrect results (CVE-2014-3570)
=============================================================

Severity: Low

Bignum squaring (BN_sqr) may produce incorrect results on some
platforms, including x86_64. This bug occurs at random with a very
low probability, and is not known to be exploitable in any way, though
its exact impact is difficult to determine. The following has been
determined:

*) The probability of BN_sqr producing an incorrect result at random
is very low: 1/2^64 on the single affected 32-bit platform (MIPS) and
1/2^128 on affected 64-bit platforms.
*) On most platforms, RSA follows a different code path and RSA
operations are not affected at all. For the remaining platforms
(e.g. OpenSSL built without assembly support), pre-existing
countermeasures thwart bug attacks [1].
*) Static ECDH is theoretically affected: it is possible to construct
elliptic curve points that would falsely appear to be on the given
curve. However, there is no known computationally feasible way to
construct such points with low order, and so the security of static
ECDH private keys is believed to be unaffected.
*) Other routines known to be theoretically affected are modular
exponentiation, primality testing, DSA, RSA blinding, JPAKE and
SRP. No exploits are known and straightforward bug attacks fail -
either the attacker cannot control when the bug triggers, or no
private key material is involved.

This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 2nd November 2014 by Pieter Wuille
(Blockstream) who also suggested an initial fix. Further analysis was
conducted by the OpenSSL development team and Adam Langley of
Google. The final fix was developed by Andy Polyakov of the OpenSSL
core team.

[1] http://css.csail.mit.edu/6.858/2013/readings/rsa-bug-attacks.pdf

Note
====

As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
releases will be provided after that date. Users of these releases are advised
to upgrade.

References
==========

URL for this Security Advisory:
https://www.openssl.org/news/secadv_20150108.txt

Note: the online version of the advisory may be updated with additional
details over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html

[close]

http://www.openssl.org/

[SiLæncer]

Changelog

Changes between 1.0.1k and 1.0.1l [15 Jan 2015]

  *) Build fixes for the Windows and OpenVMS platforms
     [Matt Caswell and Richard Levitte]

[close]

http://www.openssl.org/

[SiLæncer]

What's new: >>

New feature: New shortcut CTRL+PrintScreen to generate a screen copy.
Bug fix: Crash into configuration box if Start button is pressed twice.
Bug fix: Modification of the delay in automatic reconnection on network failure and system wakeup.

http://www.9bis.net/kitty/?page=Welcome&zone=en

[SiLæncer]

Changelog

Profiles:

Per-profile host keys and client keypairs: Host authentication public keys, as well as client authentication keypairs, can now be stored in individual profiles. This allows a profile to contain all information needed to establish an SSH session, without requiring host key or client keypair information to be passed via command line parameters, or stored in Windows registry.
When a host key is verified by the user, and the SSH session uses a profile, a copy of the host key will now be automatically saved in the profile.
Per-profile proxy settings: Proxy settings can now be configured for individual profiles as well, allowing a profile to override globally configured proxy settings.
Implemented measures to ensure profile consistency when accessed by multiple SSH Client instances.
When opening profiles created using Bitvise SSH Client 4.xx, previous 6.xx versions would be unable to open profiles with an invalid Remote Desktop Computer field. Attempts to open such profiles would fail with a validation error, but a description of the validation error would not be displayed. Fixed.

SSH:

Delayed negotiation of zlib compression, as advertised by servers using the 'zlib@openssh.com' algorithm, is now supported. Because of an inherent race condition in the OpenSSH implementation of delayed compression, Bitvise SSH Client implements this in the same way as PuTTY - by triggering a second key exchange after successful authentication.

Authentication:

Graphical management of server-side public keys: The graphical SSH Client now supports management of the user's public keys trusted by the server using SPKS, the Secure Shell Public Key Subsystem. As in previous 6.xx versions, this functionality also continues to be available in the spksc command line client.
Agent forwarding: The SSH Client now supports agent forwarding if it is supported by the SSH Server. A remote SSH client running on the server can use agent forwarding to perform public key authentication using client keypairs managed by the local SSH Client.
Agent support: Both the graphical client, as well as the command line clients, now support public key authentication using keypairs available through the OpenSSH authentication agent (ssh-agent) or the PuTTY authentication agent (pageant).
Improved the choice of default subsequent authentication method offered when the server requires both password and public key authentication.
Fixed an issue which prevented use of public key authentication as configured in a profile supplied with the "-profile" command line parameter.

File transfer:

sftpc now supports launching local commands prefixed with '!' in scripted mode. A non-zero return code is treated as an error.
sftpc can now execute "ldir" to provide expected results if the current local directory points to a network share.

Remote Desktop:

Automatic sign-on for Remote Desktop now works with Microsoft accounts, as well.

General:

Sessions that attempted to register a large number of simultaneous client-to-server port forwarding rules could be terminated by an error. Fixed.
Improved disconnection responsiveness and reliability.
Improved trace logging.
In recent 6.xx versions, a license code could not be applied unless the client was started using elevation. Fixed.

Terminal:

Mouse input is now supported. Supported mouse modes are X10 compatible, Normal, Cell Motion and All Motion. Supports X10, UTF8, SGR, and URXVT coordinates. Supported are all 3 main mouse buttons; combinations with Alt, Shift, and Ctrl keys; and the mouse wheel. When mouse tracking is enabled by the server, client-side text selection and copying remains possible using the left Shift key.
The terminal window color palette can now be configured.
A setting is now supported to allow the terminal window to remain open after a terminal session closes.
The terminal client will now display terminal titles received from the server via xterm. The client will append such titles to the initial title.
Characters that could not normally be entered using the currently active input method can now be entered using Alt + NumPad or using copy and paste.

When using the graphical SSH Client in conjunction with a non-bvterm terminal protocol, such as xterm, the SSH Client will now use a custom terminal window with features not available with a Windows console window:

Draggable resizing
Support for xterm-256color
Support for non-block copy & paste
Improved performance

[close]

http://www.bitvise.com/tunnelier

[SiLæncer]

Whats new:>>

New features:

OCSP AIA (Authority Information Access) support. This feature can be enabled with the new service-level option "OCSPaia".
Additional security features of the linker are enabled: "-z relro", "-z now", "-z noexecstack".

Bugfixes:

OpenSSL DLLs updated to version 1.0.1l. https://www.openssl.org/news/secadv_20150108.txt
FIPS canister updated to version 2.0.9 in the Win32 binary build.

https://www.stunnel.org/index.html