[Touch-packages] [Bug 1943530] Re: link libkrb5 with openssl
** Tags added: fr-1900 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1943530 Title: link libkrb5 with openssl Status in krb5 package in Ubuntu: Confirmed Status in krb5 source package in Jammy: Confirmed Bug description: In Ubuntu we provide a cryptographic core based on a small set of packages that we FIPS certify [0]. Applications and libraries should not bundle their own crypto code but should use the cryptographic core to benefit from the certification, but also importantly to reduce bugs due to small cryptographic libraries that that are not studied as much as more popular counterparts. This bug is to change libkrb5 to use the openssl crypto code instead of bundling its own on the next ubuntu release. [0]. https://ubuntu.com/security/fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1943530/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1943530] Re: link libkrb5 with openssl
** Also affects: krb5 (Ubuntu Jammy) Importance: Undecided Status: Confirmed ** Tags removed: rls-jj-incoming -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1943530 Title: link libkrb5 with openssl Status in krb5 package in Ubuntu: Confirmed Status in krb5 source package in Jammy: Confirmed Bug description: In Ubuntu we provide a cryptographic core based on a small set of packages that we FIPS certify [0]. Applications and libraries should not bundle their own crypto code but should use the cryptographic core to benefit from the certification, but also importantly to reduce bugs due to small cryptographic libraries that that are not studied as much as more popular counterparts. This bug is to change libkrb5 to use the openssl crypto code instead of bundling its own on the next ubuntu release. [0]. https://ubuntu.com/security/fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1943530/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1943530] Re: link libkrb5 with openssl
For 22.04 we should switch to openssl 3.0 for cryptography for the whole. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1943530 Title: link libkrb5 with openssl Status in krb5 package in Ubuntu: Confirmed Bug description: In Ubuntu we provide a cryptographic core based on a small set of packages that we FIPS certify [0]. Applications and libraries should not bundle their own crypto code but should use the cryptographic core to benefit from the certification, but also importantly to reduce bugs due to small cryptographic libraries that that are not studied as much as more popular counterparts. This bug is to change libkrb5 to use the openssl crypto code instead of bundling its own on the next ubuntu release. [0]. https://ubuntu.com/security/fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1943530/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1943530] Re: link libkrb5 with openssl
> Do we even know for sure this krb5-k5tls is enough for fips compliance, and that it replaces *all* crypto code in kerberos with openssl calls? No it does not. But intention is to make the over the network communications with TLS to be FIPS-TLS compliant which is cheaper to certify when reusing a certified TLS component library. ** Changed in: krb5 (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1943530 Title: link libkrb5 with openssl Status in krb5 package in Ubuntu: Confirmed Bug description: In Ubuntu we provide a cryptographic core based on a small set of packages that we FIPS certify [0]. Applications and libraries should not bundle their own crypto code but should use the cryptographic core to benefit from the certification, but also importantly to reduce bugs due to small cryptographic libraries that that are not studied as much as more popular counterparts. This bug is to change libkrb5 to use the openssl crypto code instead of bundling its own on the next ubuntu release. [0]. https://ubuntu.com/security/fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1943530/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1943530] Re: link libkrb5 with openssl
** Changed in: krb5 (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1943530 Title: link libkrb5 with openssl Status in krb5 package in Ubuntu: Incomplete Bug description: In Ubuntu we provide a cryptographic core based on a small set of packages that we FIPS certify [0]. Applications and libraries should not bundle their own crypto code but should use the cryptographic core to benefit from the certification, but also importantly to reduce bugs due to small cryptographic libraries that that are not studied as much as more popular counterparts. This bug is to change libkrb5 to use the openssl crypto code instead of bundling its own on the next ubuntu release. [0]. https://ubuntu.com/security/fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1943530/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1943530] Re: link libkrb5 with openssl
Do we even know for sure this krb5-k5tls is enough for fips compliance, and that it replaces *all* crypto code in kerberos with openssl calls? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1943530 Title: link libkrb5 with openssl Status in krb5 package in Ubuntu: New Bug description: In Ubuntu we provide a cryptographic core based on a small set of packages that we FIPS certify [0]. Applications and libraries should not bundle their own crypto code but should use the cryptographic core to benefit from the certification, but also importantly to reduce bugs due to small cryptographic libraries that that are not studied as much as more popular counterparts. This bug is to change libkrb5 to use the openssl crypto code instead of bundling its own on the next ubuntu release. [0]. https://ubuntu.com/security/fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1943530/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1943530] Re: link libkrb5 with openssl
krb5 (1.13~alpha1+dfsg-1) experimental; urgency=low [ Benjamin Kaduk ] * New upstream prerelease: - Add support for accessing KDCs via an https proxy using the MS-KKDCP protocol, using a plugin provided by the new krb5-k5tls package, which uses openssl for the TLS implementation. The openssl-using code is confined to a separate, runtime-loadable, plugin module, in a separate package, to ameliorate concerns about GPL code that links libkrb5 running into issues with the openssl license. The Kerberos license is both GPL and OpenSSL compatible. There might be an issue if an application was GPL licensed and someone used the OpenSSL plugin with that application. Even that is probably fine provided that no one distributes a combination that tends to encourage such usage. There's an existing krb5-pkinit plugin that also links to OpenSSL, but at time of integration into Debian no GPLed applications in the archive called APIs that would cause that plugin to be loaded. The above concerns are still valid, and given that currently OpenSSL is neither GPLv2 or GPLv3 compatible doing this may not be feasible immediately. The licensing choices will have to be re-evaluated again, once OpenSSL v3 is the default OpenSSL implementation in the archive, which is GPLv3 compatible. ** Tags removed: rls-ii-incoming ** Tags added: rls-ii-wontfix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1943530 Title: link libkrb5 with openssl Status in krb5 package in Ubuntu: New Bug description: In Ubuntu we provide a cryptographic core based on a small set of packages that we FIPS certify [0]. Applications and libraries should not bundle their own crypto code but should use the cryptographic core to benefit from the certification, but also importantly to reduce bugs due to small cryptographic libraries that that are not studied as much as more popular counterparts. This bug is to change libkrb5 to use the openssl crypto code instead of bundling its own on the next ubuntu release. [0]. https://ubuntu.com/security/fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1943530/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1943530] Re: link libkrb5 with openssl
** Tags added: rls-ii-incoming rls-jj-incoming -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1943530 Title: link libkrb5 with openssl Status in krb5 package in Ubuntu: New Bug description: In Ubuntu we provide a cryptographic core based on a small set of packages that we FIPS certify [0]. Applications and libraries should not bundle their own crypto code but should use the cryptographic core to benefit from the certification, but also importantly to reduce bugs due to small cryptographic libraries that that are not studied as much as more popular counterparts. This bug is to change libkrb5 to use the openssl crypto code instead of bundling its own on the next ubuntu release. [0]. https://ubuntu.com/security/fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1943530/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1943530] Re: link libkrb5 with openssl
** Description changed: In Ubuntu we provide a cryptographic core based on a small set of packages that we FIPS certify [0]. Applications and libraries should not bundle their own crypto code but should use the cryptographic core to benefit from the certification, but also importantly to reduce bugs due - to small cryptographic libraries that are not monitored for low level - crypto CVEs. This bug is to change libkrb5 to use the openssl crypto - code instead of bundling its own on the next ubuntu release. + to small cryptographic libraries that researchers may not be verifying + crypto vulnerabilities at. This bug is to change libkrb5 to use the + openssl crypto code instead of bundling its own on the next ubuntu + release. [0]. https://ubuntu.com/security/fips ** Description changed: In Ubuntu we provide a cryptographic core based on a small set of packages that we FIPS certify [0]. Applications and libraries should not bundle their own crypto code but should use the cryptographic core to benefit from the certification, but also importantly to reduce bugs due - to small cryptographic libraries that researchers may not be verifying - crypto vulnerabilities at. This bug is to change libkrb5 to use the + to small cryptographic libraries that that are not studied as much as + more popular counterparts. This bug is to change libkrb5 to use the openssl crypto code instead of bundling its own on the next ubuntu release. [0]. https://ubuntu.com/security/fips -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1943530 Title: link libkrb5 with openssl Status in krb5 package in Ubuntu: New Bug description: In Ubuntu we provide a cryptographic core based on a small set of packages that we FIPS certify [0]. Applications and libraries should not bundle their own crypto code but should use the cryptographic core to benefit from the certification, but also importantly to reduce bugs due to small cryptographic libraries that that are not studied as much as more popular counterparts. This bug is to change libkrb5 to use the openssl crypto code instead of bundling its own on the next ubuntu release. [0]. https://ubuntu.com/security/fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1943530/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp