From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] openssh: Update to version 9.7p1
Date: Tue, 12 Mar 2024 09:54:46 +0000 [thread overview]
Message-ID: <8B49A607-287D-4077-A989-5BBF6D11779B@ipfire.org> (raw)
In-Reply-To: <20240312085514.87310-1-adolf.belka@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 4604 bytes --]
Excellent! Thank you!
> On 12 Mar 2024, at 08:55, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>
> - Update from version 9.6p1 to 9.7p1
> - Update of rootfile not required
> - Changelog
> 9.7p1
> Future deprecation notice
> OpenSSH plans to remove support for the DSA signature algorithm in
> early 2025 and compile-time disable it later this year.
> DSA, as specified in the SSHv2 protocol, is inherently weak - being
> limited to a 160 bit private key and use of the SHA1 digest. Its
> estimated security level is only 80 bits symmetric equivalent.
> OpenSSH has disabled DSA keys by default since 2015 but has retained
> run-time optional support for them. DSA was the only mandatory-to-
> implement algorithm in the SSHv2 RFCs[3], mostly because alternative
> algorithms were encumbered by patents when the SSHv2 protocol was
> specified.
> This has not been the case for decades at this point and better
> algorithms are well supported by all actively-maintained SSH
> implementations. We do not consider the costs of maintaining DSA in
> OpenSSH to be justified and hope that removing it from OpenSSH can
> accelerate its wider deprecation in supporting cryptography
> libraries.
> This release makes DSA support in OpenSSH compile-time optional,
> defaulting to on. We intend the next release to change the default
> to disable DSA at compile time. The first OpenSSH release of 2025
> will remove DSA support entirely.
> This release contains mostly bugfixes.
> New features
> * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
> all open channels and will close all open channels if there is no
> traffic on any of them for the specified interval. This is in
> addition to the existing per-channel timeouts added recently.
> This supports situations like having both session and x11
> forwarding channels open where one may be idle for an extended
> period but the other is actively used. The global timeout could
> close both channels when both have been idle for too long.
> * All: make DSA key support compile-time optional, defaulting to on.
> Bugfixes
> * sshd(8): don't append an unnecessary space to the end of subsystem
> arguments (bz3667)
> * ssh(1): fix the multiplexing "channel proxy" mode, broken when
> keystroke timing obfuscation was added. (GHPR#463)
> * ssh(1), sshd(8): fix spurious configuration parsing errors when
> options that accept array arguments are overridden (bz3657).
> * ssh-agent(1): fix potential spin in signal handler (bz3670)
> * Many fixes to manual pages and other documentation, including
> GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
> * Greatly improve interop testing against PuTTY.
> Portability
> * Improve the error message when the autoconf OpenSSL header check
> fails (bz#3668)
> * Improve detection of broken toolchain -fzero-call-used-regs support
> (bz3645).
> * Fix regress/misc/fuzz-harness fuzzers and make them compile without
> warnings when using clang16
>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> lfs/openssh | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/lfs/openssh b/lfs/openssh
> index 3833f2ca7..315b1a70b 100644
> --- a/lfs/openssh
> +++ b/lfs/openssh
> @@ -1,7 +1,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> #
> +# Copyright (C) 2007-2024 IPFire Team <info(a)ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 9.6p1
> +VER = 9.7p1
>
> THISAPP = openssh-$(VER)
> DL_FILE = $(THISAPP).tar.gz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_BLAKE2 = dd7f6747fe89f7b386be4faaf7fc43398a9bf439e45608ae61c2126cf8743c64ef7b5af45c75e9007b0bda525f8809261ca0f2fc47ce60177ba769a5324719dd
> +$(DL_FILE)_BLAKE2 = 520859fcbdf678808fc8515b64585ab9a90a8055fa869df6fbba3083cb7f73ddb81ed9ea981e131520736a8aed838f85ae68ca63406a410df61039913c5cb48b
>
> install : $(TARGET)
>
> --
> 2.44.0
>
prev parent reply other threads:[~2024-03-12 9:54 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-12 8:55 Adolf Belka
2024-03-12 9:54 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8B49A607-287D-4077-A989-5BBF6D11779B@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox