Stay Informed
This week, read about:
- FBI Warns of BlackCat Ransomware That Breached Over 60 Organisations Worldwide.
- Spotify Launches New Fund to Support Independent Open Source Projects.
- Samsung Is Elected to the Technical Oversight Committee of the O-RAN Open Source Project.
Key Security, Maintenance, and Features Releases
Security Updates
OpenSSH 9.0
This release switches scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this.
ISC Bind 9.19.0
According to RFC 8310, Section 8.1, the Subject field MUST NOT be inspected when verifying a remote certificate while establishing a DNS-over-TLS connection. Only subjectAltName must be checked instead. Unfortunately, some quite old versions of cryptographic libraries might lack the ability to ignore the Subject field. This should have minimal production-use consequences, as most of the production-ready certificates issued by certificate authorities will have subjectAltName set. In such cases, the Subject field is ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. [GL #3163]
Add support for remote TLS certificate verification, both to named and dig, making it possible to implement Strict and Mutual TLS authentication, as described in RFC 9103, Section 9.3. [GL #3163]
dnssec-verify and dnssec-signzone now accept a -J option to specify a journal file to read when loading the zone to be verified or signed. [GL #2486]
Non-Security Updates
PostgreSQL JDBC Driver 42.3.4
fix: change name of build cache PR 2471
feat: add support for ResultSet#getObject(OffsetTime.class) and PreparedStatement#setObject(OffsetTime.class) PR 2467
fix: Use non-synchronized getTimeZone in TimestampUtils PR 2451
docs: Fix CHANGELOG.md misformatted markdown headings PR 2461