** Description changed: As per RFC 8732, gss-group14-sha1- and gss-gex-sha1-* are considered deprecated and should not be used. https://www.rfc-editor.org/rfc/rfc8732#name-deprecated-algorithms Let's remove them from the default algorithms list. + + Note that we do not intend to remove support for those algorithms at + this moment. For now, we will just drop them from the default list that + the client or the server will try for GSS key exchange in case the user + do not specify any algorithms in their configuration file. + + The package was successfully built in + https://launchpad.net/~athos/+archive/ubuntu/openssh-gssapi/+packages. + + The packages in that PPA install and upgrade successfully and are also + passing autopkgtest runs. + + Since there are no ABI changes (we are changing the default value for a + configuration), there is no need to worry about reverse dependencies + AFAICT. If this becomes an issue, it would likely be due to some + component using a deprecated (insecure) key exchange algorithm. + + $ seeded-in-ubuntu openssh + openssh-client (from openssh) is seeded in: + edubuntu: daily-live, daily-preinstalled + kubuntu: daily-live + lubuntu: daily-live + ubuntu-budgie: daily-live + ubuntu-core-installer: daily-live + ubuntu-mate: daily-live + ubuntu-server: daily-live, daily-preinstalled + ubuntu-unity: daily-live + ubuntu-wsl: daily-live + ubuntu: daily-dangerous, daily-live, daily-preinstalled + ubuntucinnamon: daily-live + ubuntukylin: daily-live + ubuntustudio: daily-live + xubuntu: daily-live, daily-minimal + openssh-server (from openssh) is seeded in: + ubuntu-core-installer: daily-live + ubuntu-server: daily-live, daily-preinstalled + openssh-sftp-server (from openssh) is seeded in: + ubuntu-core-installer: daily-live + ubuntu-server: daily-live, daily-preinstalled + ssh-askpass-gnome (from openssh) is seeded in: + ubuntu-budgie: daily-live
** Description changed: + @ Release team: This is a Work in Progress. + As per RFC 8732, gss-group14-sha1- and gss-gex-sha1-* are considered deprecated and should not be used. https://www.rfc-editor.org/rfc/rfc8732#name-deprecated-algorithms Let's remove them from the default algorithms list. Note that we do not intend to remove support for those algorithms at this moment. For now, we will just drop them from the default list that the client or the server will try for GSS key exchange in case the user do not specify any algorithms in their configuration file. The package was successfully built in https://launchpad.net/~athos/+archive/ubuntu/openssh-gssapi/+packages. The packages in that PPA install and upgrade successfully and are also passing autopkgtest runs. Since there are no ABI changes (we are changing the default value for a configuration), there is no need to worry about reverse dependencies AFAICT. If this becomes an issue, it would likely be due to some component using a deprecated (insecure) key exchange algorithm. $ seeded-in-ubuntu openssh openssh-client (from openssh) is seeded in: - edubuntu: daily-live, daily-preinstalled - kubuntu: daily-live - lubuntu: daily-live - ubuntu-budgie: daily-live - ubuntu-core-installer: daily-live - ubuntu-mate: daily-live - ubuntu-server: daily-live, daily-preinstalled - ubuntu-unity: daily-live - ubuntu-wsl: daily-live - ubuntu: daily-dangerous, daily-live, daily-preinstalled - ubuntucinnamon: daily-live - ubuntukylin: daily-live - ubuntustudio: daily-live - xubuntu: daily-live, daily-minimal + edubuntu: daily-live, daily-preinstalled + kubuntu: daily-live + lubuntu: daily-live + ubuntu-budgie: daily-live + ubuntu-core-installer: daily-live + ubuntu-mate: daily-live + ubuntu-server: daily-live, daily-preinstalled + ubuntu-unity: daily-live + ubuntu-wsl: daily-live + ubuntu: daily-dangerous, daily-live, daily-preinstalled + ubuntucinnamon: daily-live + ubuntukylin: daily-live + ubuntustudio: daily-live + xubuntu: daily-live, daily-minimal openssh-server (from openssh) is seeded in: - ubuntu-core-installer: daily-live - ubuntu-server: daily-live, daily-preinstalled + ubuntu-core-installer: daily-live + ubuntu-server: daily-live, daily-preinstalled openssh-sftp-server (from openssh) is seeded in: - ubuntu-core-installer: daily-live - ubuntu-server: daily-live, daily-preinstalled + ubuntu-core-installer: daily-live + ubuntu-server: daily-live, daily-preinstalled ssh-askpass-gnome (from openssh) is seeded in: - ubuntu-budgie: daily-live + ubuntu-budgie: daily-live -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2144812 Title: [FFe] Do not default to weak GSS-API exchange algorithms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2144812/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
