openSSH 8.0.0 (2019-04-18)

See also

• https://github.com/openssh/openssh-portable/releases

• https://github.com/openssh/openssh-portable/tree/V_8_0_P1

LWN.net announce

See also

• https://lwn.net/Articles/786236/rss

OpenSSH 8.0 has been released with a bunch of new features and some bug fixes, including one for a security problem: “This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client.

This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content.

This release adds client-side checking that the filenames sent from the server match the command-line request,

Warning

The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead.”