Back to bug 1373836
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Josh Bressers | 2016-09-07 14:11:55 UTC | CC | bressers | |
| Jakub Svoboda | 2016-09-08 13:59:42 UTC | CC | jjelen | |
| Flags | needinfo?(jjelen) | |||
| Jakub Jelen | 2016-09-15 07:53:11 UTC | Blocks | 1335911 | |
| Summary | Ciphers and MACs enabled by default differ from upstream OpenSSH 6.7 with security implications. | Remove RC4 cipher and questionable MACs enabled by default from OpenSSH | ||
| QA Contact | qe-baseos-security | szidek | ||
| Flags | needinfo?(jjelen) | |||
| Muhammad Azhar Shaikh | 2016-09-15 09:09:44 UTC | CC | mdshaikh | |
| Tomas Mraz | 2016-09-29 14:32:57 UTC | CC | thibaut.pouzet | |
| CC | tmraz | |||
| Nikos Mavrogiannopoulos | 2016-11-01 17:15:37 UTC | CC | nmavrogi | |
| Jakub Jelen | 2016-11-01 17:16:18 UTC | Status | NEW | ASSIGNED |
| Jakub Jelen | 2016-11-02 11:48:59 UTC | Status | ASSIGNED | MODIFIED |
| Fixed In Version | openssh-5.3p1-120.el6 | |||
| errata-xmlrpc | 2016-11-02 12:02:38 UTC | Status | MODIFIED | ON_QA |
| Stefan Dordevic | 2016-11-14 12:56:01 UTC | CC | sdordevi | |
| Flags | needinfo?(jjelen) | |||
| Jakub Jelen | 2016-11-14 13:04:57 UTC | Flags | needinfo?(jjelen) | |
| Stanislav Zidek | 2016-11-14 14:00:34 UTC | Doc Type | If docs needed, set a value | Release Note |
| Jakub Jelen | 2016-11-15 09:29:46 UTC | Doc Text | This release is deprecating old algorithms known to be broken from the default client configuration. The affected algorithms are `arcfour256,arcfour128,arcfour` ciphers and `hmac-md5,hmac-md5-96` MACs. This does not affect any existing server configuration. If some of your connections depend on the above algorithms, you can re-enable them per-host in `ssh_config`, for example: Host legacy Ciphers arcfour MACs hmac-md5 If you want to restore the previous functionality and use also the above configuration, you can add this snippet to the system-wide `/etc/ssh/ssh_config`: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 |
|
| Stanislav Zidek | 2016-12-09 10:55:23 UTC | QA Contact | szidek | sdordevi |
| Lenka Špačková | 2016-12-12 11:15:48 UTC | Docs Contact | mjahoda | |
| Stefan Dordevic | 2016-12-12 13:22:17 UTC | Flags | needinfo?(jjelen) | |
| Mirek Jahoda | 2016-12-12 15:45:40 UTC | Flags | needinfo?(jjelen) | |
| Nikos Mavrogiannopoulos | 2016-12-13 15:34:29 UTC | Doc Type | Release Note | Deprecated Functionality |
| Flags | needinfo?(jjelen) needinfo?(jjelen) | |||
| errata-xmlrpc | 2016-12-20 09:42:08 UTC | Status | ON_QA | VERIFIED |
| Mirek Jahoda | 2017-01-04 10:37:39 UTC | Doc Text | This release is deprecating old algorithms known to be broken from the default client configuration. The affected algorithms are `arcfour256,arcfour128,arcfour` ciphers and `hmac-md5,hmac-md5-96` MACs. This does not affect any existing server configuration. If some of your connections depend on the above algorithms, you can re-enable them per-host in `ssh_config`, for example: Host legacy Ciphers arcfour MACs hmac-md5 If you want to restore the previous functionality and use also the above configuration, you can add this snippet to the system-wide `/etc/ssh/ssh_config`: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 | Deprecated algorithms in *OpenSSH*: RC4, hmac-md5, and hmac-md5-96 With this update, the `arcfour256`, `arcfour128`, `arcfour` ciphers and the `hmac-md5`, `hmac-md5-96` Method Authentication Code (MAC) algorithms are deprecated. Note that this change does not affect any existing server configuration. The system administrator can enable these deprecated algorithms by editing the `ssh_config` file, for example: Host legacy Ciphers arcfour MACs hmac-md5 To completely restore the deprecated functionality, add the following snippet to the `/etc/ssh/ssh_config` file: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 |
| Jakub Jelen | 2017-02-01 15:09:21 UTC | CC | leonard-rh-bugzilla | |
| Alan Bartlett | 2017-02-01 16:07:23 UTC | CC | ajb, ned | |
| Alan Bartlett | 2017-02-01 16:07:56 UTC | CC | toracat | |
| errata-xmlrpc | 2017-03-21 00:49:22 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2017-03-21 10:02:38 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2017-03-21 06:02:38 UTC | |||
| Yasuhiro Ozone | 2017-12-05 09:15:14 UTC | CC | yozone |
Back to bug 1373836