Excellent! Thank you! > On 12 Mar 2024, at 08:55, Adolf Belka wrote: > > - Update from version 9.6p1 to 9.7p1 > - Update of rootfile not required > - Changelog > 9.7p1 > Future deprecation notice > OpenSSH plans to remove support for the DSA signature algorithm in > early 2025 and compile-time disable it later this year. > DSA, as specified in the SSHv2 protocol, is inherently weak - being > limited to a 160 bit private key and use of the SHA1 digest. Its > estimated security level is only 80 bits symmetric equivalent. > OpenSSH has disabled DSA keys by default since 2015 but has retained > run-time optional support for them. DSA was the only mandatory-to- > implement algorithm in the SSHv2 RFCs[3], mostly because alternative > algorithms were encumbered by patents when the SSHv2 protocol was > specified. > This has not been the case for decades at this point and better > algorithms are well supported by all actively-maintained SSH > implementations. We do not consider the costs of maintaining DSA in > OpenSSH to be justified and hope that removing it from OpenSSH can > accelerate its wider deprecation in supporting cryptography > libraries. > This release makes DSA support in OpenSSH compile-time optional, > defaulting to on. We intend the next release to change the default > to disable DSA at compile time. The first OpenSSH release of 2025 > will remove DSA support entirely. > This release contains mostly bugfixes. > New features > * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches > all open channels and will close all open channels if there is no > traffic on any of them for the specified interval. This is in > addition to the existing per-channel timeouts added recently. > This supports situations like having both session and x11 > forwarding channels open where one may be idle for an extended > period but the other is actively used. The global timeout could > close both channels when both have been idle for too long. > * All: make DSA key support compile-time optional, defaulting to on. > Bugfixes > * sshd(8): don't append an unnecessary space to the end of subsystem > arguments (bz3667) > * ssh(1): fix the multiplexing "channel proxy" mode, broken when > keystroke timing obfuscation was added. (GHPR#463) > * ssh(1), sshd(8): fix spurious configuration parsing errors when > options that accept array arguments are overridden (bz3657). > * ssh-agent(1): fix potential spin in signal handler (bz3670) > * Many fixes to manual pages and other documentation, including > GHPR#462, GHPR#454, GHPR#442 and GHPR#441. > * Greatly improve interop testing against PuTTY. > Portability > * Improve the error message when the autoconf OpenSSL header check > fails (bz#3668) > * Improve detection of broken toolchain -fzero-call-used-regs support > (bz3645). > * Fix regress/misc/fuzz-harness fuzzers and make them compile without > warnings when using clang16 > > Signed-off-by: Adolf Belka > --- > lfs/openssh | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/lfs/openssh b/lfs/openssh > index 3833f2ca7..315b1a70b 100644 > --- a/lfs/openssh > +++ b/lfs/openssh > @@ -1,7 +1,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2007-2023 IPFire Team # > +# Copyright (C) 2007-2024 IPFire Team # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -24,7 +24,7 @@ > > include Config > > -VER = 9.6p1 > +VER = 9.7p1 > > THISAPP = openssh-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -40,7 +40,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_BLAKE2 = dd7f6747fe89f7b386be4faaf7fc43398a9bf439e45608ae61c2126cf8743c64ef7b5af45c75e9007b0bda525f8809261ca0f2fc47ce60177ba769a5324719dd > +$(DL_FILE)_BLAKE2 = 520859fcbdf678808fc8515b64585ab9a90a8055fa869df6fbba3083cb7f73ddb81ed9ea981e131520736a8aed838f85ae68ca63406a410df61039913c5cb48b > > install : $(TARGET) > > -- > 2.44.0 >