Today, the OpenSSH project announced the release of OpenSSH 9.8, available for download on its official mirrors. This release patched a critical issue (CVE-2024-6387) found in Portable OpenSSH versions 8.5p1 to 9.7p1.
The vulnerability, potentially allowing arbitrary code execution with root privileges, particularly affected 32-bit Linux systems with ASLR.
Although the exploit has not been demonstrated on 64-bit systems, the possibility remains, heightening the risk for systems without effective address space layout randomization (ASLR).
Another key fix was for a logic error from versions 9.5 through 9.7, which made the ObscureKeystrokeTiming feature ineffective. This vulnerability could enable a passive observer to detect keystrokes, posing a risk, particularly when sensitive information like passwords is entered.
As we informed you in January, OpenSSH plans to completely phase out support for the DSA signature algorithm by early 2025. This version has already disabled DSA keys by default due to their inherent weaknesses and outdated technology. Users requiring DSA can re-enable it via specific build options detailed in the release notes.
Moreover, OpenSSH 9.8 introduces a new penalty system in sshd, blocking addresses showing suspicious behaviors such as repeated failed authentication attempts. This feature aims to enhance security by reducing the risk of brute-force attacks.
Alongside these enhancements, the update includes numerous bug fixes across its suite of tools and a few potentially incompatible changes, such as the removal of certain deprecated features and changes in server behavior.
Lastly, the release also focuses on system compatibility and build improvements, ensuring broader support across different systems and configurations. Notably, it enhances detection capabilities for OpenSSL configurations and introduces changes to support notifications for systemd in environments that use it.
Check out the release announcement for detailed information about all changes in OpenSSH 9.8