Copssh version 5.4.3 bundle contains 32/64-bit client/server installers containing OpenSSL 1.0.2f fixing security vulnerabilities CVE-2016-0701 (high) and CVE-2015-3197 (low). We have also updated Cygwin and GNU tools to their latest versions.

Copssh version 5.4.2 bundle contains 32/64-bit client/server installers with OpenSSH 7.1p2, fixing security vulnerabilities. Changes from 7.1.p1:

• CVE-2016-0777 SECURITY: ssh(1): The OpenSSH client code between 5.4 and 7.1 contains experimental support for resuming SSH-connections (roaming).

The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys. The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers. MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the gobal ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line. This problem was reported by the Qualys Security Advisory team. 

• SECURITY: Fix an out of-bound read access in the packet handling code. Reported by Ben Hawkes.

• PROTOCOL: Correctly interpret the 'first_kex_follows' option during  the intial key exchange. Reported by Matt Johnston.

• Further use of explicit_bzero has been added in various buffer handling code paths to guard against compilers aggressively doing dead-store removal.

Copssh version 5.4.1 bundle contains 32/64-bit client/server installers with updated OpenSSL and Cygwin/GNU tools. OpenSSL 1.0.2e fixes 5 security vulnerabilities:

• Moderate - BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
• Moderate - Certificate verify crash with missing PSS parameter (CVE-2015-3194)
• Moderate - X509_ATTRIBUTE memory leak (CVE-2015-3195)
• Low - Race condition handling PSK identify hint (CVE-2015-3196)
• Low - Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)

We have also updated Cygwin/GNU Tools to the latest stable versions. Enjoy!

Nagwin 2.5.0 contains the latest available Nagios version 4.1.1, including new graphical CGI displays and promoting JSON CGIs to released status, in addition to many bug fixes. PHP is also updated to the latest version (5.6.13).

Copssh version 5.4.0 bundle contains 32/64-bit client/server installers with OpenSSH 7.1, a bug fix release:

Security

• sshd(8): OpenSSH 7.0 contained a logic error in PermitRootLogin=prohibit-password/without-password that could, depending on compile-time configuration, permit password authentication to root while preventing other forms of authentication. This problem was reported by Mantas Mikulenas.

Bugfixes

• ssh(1), sshd(8): add compatibility workarounds for FuTTY
• ssh(1), sshd(8): refine compatibility workarounds for WinSCP
• Fix a number of memory faults (double-free, free of uninitialised memory, etc) in ssh(1) and ssh-keygen(1). Reported by Mateusz Kocielski.

 Future deprecation notice from OpenSSH:

We plan on retiring more legacy cryptography in the next release including:

• Refusing all RSA keys smaller than 1024 bits (the current minimum is 768 bits)
• Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES.
• MD5-based HMAC algorithms will be disabled by default.

This list reflects our current intentions, but please check the final release notes for OpenSSH 7.2 when it is released.