From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] openssh: Update to version 9.7p1 Date: Tue, 12 Mar 2024 09:54:46 +0000 Message-ID: <8B49A607-287D-4077-A989-5BBF6D11779B@ipfire.org> In-Reply-To: <20240312085514.87310-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7103181024407409223==" List-Id: --===============7103181024407409223== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Excellent! Thank you! > On 12 Mar 2024, at 08:55, Adolf Belka wrote: >=20 > - Update from version 9.6p1 to 9.7p1 > - Update of rootfile not required > - Changelog > 9.7p1 > Future deprecation notice > OpenSSH plans to remove support for the DSA signature algorithm in > early 2025 and compile-time disable it later this year. > DSA, as specified in the SSHv2 protocol, is inherently weak - being > limited to a 160 bit private key and use of the SHA1 digest. Its > estimated security level is only 80 bits symmetric equivalent. > OpenSSH has disabled DSA keys by default since 2015 but has retained > run-time optional support for them. DSA was the only mandatory-to- > implement algorithm in the SSHv2 RFCs[3], mostly because alternative > algorithms were encumbered by patents when the SSHv2 protocol was > specified. > This has not been the case for decades at this point and better > algorithms are well supported by all actively-maintained SSH > implementations. We do not consider the costs of maintaining DSA in > OpenSSH to be justified and hope that removing it from OpenSSH can > accelerate its wider deprecation in supporting cryptography > libraries. > This release makes DSA support in OpenSSH compile-time optional, > defaulting to on. We intend the next release to change the default > to disable DSA at compile time. The first OpenSSH release of 2025 > will remove DSA support entirely. > This release contains mostly bugfixes. > New features > * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches > all open channels and will close all open channels if there is no > traffic on any of them for the specified interval. This is in > addition to the existing per-channel timeouts added recently. > This supports situations like having both session and x11 > forwarding channels open where one may be idle for an extended > period but the other is actively used. The global timeout could > close both channels when both have been idle for too long. > * All: make DSA key support compile-time optional, defaulting to on. > Bugfixes > * sshd(8): don't append an unnecessary space to the end of subsystem > arguments (bz3667) > * ssh(1): fix the multiplexing "channel proxy" mode, broken when > keystroke timing obfuscation was added. (GHPR#463) > * ssh(1), sshd(8): fix spurious configuration parsing errors when > options that accept array arguments are overridden (bz3657). > * ssh-agent(1): fix potential spin in signal handler (bz3670) > * Many fixes to manual pages and other documentation, including > GHPR#462, GHPR#454, GHPR#442 and GHPR#441. > * Greatly improve interop testing against PuTTY. > Portability > * Improve the error message when the autoconf OpenSSL header check > fails (bz#3668) > * Improve detection of broken toolchain -fzero-call-used-regs support > (bz3645). > * Fix regress/misc/fuzz-harness fuzzers and make them compile without > warnings when using clang16 >=20 > Signed-off-by: Adolf Belka > --- > lfs/openssh | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) >=20 > diff --git a/lfs/openssh b/lfs/openssh > index 3833f2ca7..315b1a70b 100644 > --- a/lfs/openssh > +++ b/lfs/openssh > @@ -1,7 +1,7 @@ > ###########################################################################= #### > # = # > # IPFire.org - A linux based firewall = # > -# Copyright (C) 2007-2023 IPFire Team = # > +# Copyright (C) 2007-2024 IPFire Team = # > # = # > # This program is free software: you can redistribute it and/or modify = # > # it under the terms of the GNU General Public License as published by = # > @@ -24,7 +24,7 @@ >=20 > include Config >=20 > -VER =3D 9.6p1 > +VER =3D 9.7p1 >=20 > THISAPP =3D openssh-$(VER) > DL_FILE =3D $(THISAPP).tar.gz > @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) >=20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >=20 > -$(DL_FILE)_BLAKE2 =3D dd7f6747fe89f7b386be4faaf7fc43398a9bf439e45608ae61c2= 126cf8743c64ef7b5af45c75e9007b0bda525f8809261ca0f2fc47ce60177ba769a5324719dd > +$(DL_FILE)_BLAKE2 =3D 520859fcbdf678808fc8515b64585ab9a90a8055fa869df6fbba= 3083cb7f73ddb81ed9ea981e131520736a8aed838f85ae68ca63406a410df61039913c5cb48b >=20 > install : $(TARGET) >=20 > --=20 > 2.44.0 >=20 --===============7103181024407409223==--