Type : Bug Fix
Severity : High
Affected Channels: Asianux Server 3 for x86 / x86_64 for Red Flag
SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel.
• Previously, the SSH daemon attempted to bind IPv6 then IPv4 on port 22. The second attempt, IPv4, woudl fail. This has been fixed by specifying the socket as IPv6 only, and sshd can listen to both IPv6 and IPv4.
• The restorecon command request for /sbin/setfiles to access a leaked SSH tcp_socket file descriptor was denied by SELinux. This has been fixed: sshd no longer leaks any descriptor.
• Updated the pubkey_key_verify() function to respect FIPS: RSA key authentication now works when the FIPS mode is enabled.
• Previously, the /dev/urandom file used by OpenSSH to reseed the OpenSSL random number generator was used only once upon the SSH daemon service, the SSH client or SSH-aware utility start up. In order to increase entropy, it is now started periodically.The "SSH_USE_STRONG_RNG" environment variable has also been added to use /dev/random as the random number generator.
• In order to execute the passwd command from sshd directly, sshd resets the default SELinux policy before executing the passwd command.
• For users with a UID higher than 2147483647, the lastlog command did not correctly report the last login log. This has been fixed.
• Added the SendEnv LANGUAGE option to the SSH configuration file and the AcceptEnv option to the sshd configuration file so that SSH now sends and accepts the LANGUAGE environment variable.
• Running the mdoc option "groff -m" on OpenSSH manual pages caused formatting errors. This has been fixed.
• Fixed the ssh-copy-id script: it now copies the id_rsa.pub key instead of the identity.pub key.
• SSH clients sometimes waited indefinitely when the SSH server stopped responding. They now use the ConnectTimeout parameter to stop after timeouts.
• Added the umask feature to the sftp subsytem to create a secure file transfer environment using the sftp service.
Solution : Update packages.
1、tar zxvf openssh-4.3p2-82.0.1.AXS3-all.tar.gz
3、rpm -Uvh *.rpm
4、service sshd restart