OpenSSH 4.2 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly.
OpenSSH 4.2 also includes some security fixes:
- SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused GatewayPorts to be incorrectly activated for dynamic (“-D”) port forwardings when no listen address was explicitly specified.
- SECURITY: sshd in OpenSSH versions prior to 4.2 allow GSSAPI credentials to be delegated to users who log in with methods other than GSSAPI authentication (e.g. public key) when the client requests it. This behaviour has been changed in OpenSSH 4.2 to only delegate credentials to users who authenticate using the GSSAPI method. This eliminates the risk of credentials being inadvertently exposed to an untrusted user/host (though users should not activate GSSAPIDelegateCredentials to begin with when the remote user or host is untrusted).
For details see the announce.
