On Tue, Dec 23, 2008, Christoph Schug wrote: > Ralf S. Engelschall wrote: >> On Mon, Dec 22, 2008, OpenPKG Project Robot wrote: >> >>> The following OpenPKG Contribution Area operation occurred. >>> uploaded DIFF file "openssh.diff" accepted -- moved to contrib area. >>> No action is required on your part. >> >> I've committed a slight variation of this patch now. > > Hmm, but I think this way it does not make too much sense as you > included a more or less complete list of available ciphers. As far as > I know the server picks one cipher based on the client's perference. > The client can choose from the list offered by the server and might > potentially prefer a cipher which might be insecure. IIRC the order > within the list of ciphers on the server is not relevant. So the idea > was to remove any potentially insecure ciphers.
Well, as the advisory states, the whole impact of the vulnerability is still somewhat unclear and the suggested reduction of the cipher suite is OK to be safe in advance on _this_ vulnerability, but OTOH it might have other drawbacks. So, I don't want to rush as long as the upstream vendors make a more clear and definite statement. Instead, I think the reduction to "Protocol 2" only by default on the server and the _addition_ of the CTR-mode ciphers is a reasonable thing we should do and hence I've applied this. On the client side I want to be not too restrictive by default at this time and on the server-side we need more consideration before we should reduce the accepted cipher suites such massively. Ralf S. Engelschall r...@engelschall.com www.engelschall.com ______________________________________________________________________ OpenPKG http://openpkg.org Developer Communication List openpkg-dev@openpkg.org