Back to bug 1960266
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Red Hat Bugzilla | 2021-05-13 13:36:52 UTC | Pool ID | sst_security_crypto_rhel_8 | |
| Red Hat One Jira (issues.redhat.com) | 2021-05-13 13:37:31 UTC | Link ID | Red Hat Issue Tracker RHELPLAN-79223 | |
| Alexander Sosedkin | 2021-05-13 18:43:11 UTC | Keywords | Rebase, Triaged | |
| Priority | unspecified | medium | ||
| Red Hat One Jira (issues.redhat.com) | 2021-05-13 18:45:04 UTC | Link ID | Red Hat Issue Tracker CRYPTO-4139 | |
| Ondrej Moriš | 2021-05-25 14:24:32 UTC | CC | omoris | |
| Doc Type | If docs needed, set a value | Rebase: Bug Fixes and Enhancements | ||
| Alexander Sosedkin | 2021-05-25 14:29:51 UTC | Doc Text | If this bug requires documentation, please select an appropriate Doc Type value. | |
| Stanislav Zidek | 2021-06-03 16:15:28 UTC | QA Contact | qe-baseos-security | omoris |
| Alexander Sosedkin | 2021-06-18 14:38:11 UTC | Fixed In Version | crypto-policies-20210617-1.gitc776d3e.el8 | |
| CC | jtougne | |||
| Alexander Sosedkin | 2021-06-18 14:46:36 UTC | Status | NEW | MODIFIED |
| errata-xmlrpc | 2021-06-18 14:59:30 UTC | Status | MODIFIED | ON_QA |
| Ondrej Moriš | 2021-06-29 10:23:22 UTC | Status | ON_QA | VERIFIED |
| Mirek Jahoda | 2021-09-30 09:29:01 UTC | CC | mjahoda | |
| Flags | needinfo?(asosedki) | |||
| Docs Contact | mjahoda | |||
| Lucie Vařáková | 2021-10-01 13:57:30 UTC | Doc Type | Rebase: Bug Fixes and Enhancements | Enhancement |
| Doc Text | If this bug requires documentation, please select an appropriate Doc Type value. | Rebase package(s) to version: Highlights, important fixes, or notable enhancements: |
||
| Alexander Sosedkin | 2021-10-04 09:11:02 UTC | Flags | needinfo?(asosedki) | |
| Doc Text | Rebase package(s) to version: Highlights, important fixes, or notable enhancements: | Rebase package(s) to version: 20210617-1.gitc776d3e.el8 Highlights, important fixes, or notable enhancements: Scoped policies support has been implemented, meaning that back-ends can now have different sets of algorithms enabled. To make use of this, add scopes to the directives in custom policies/subpolicies; e.g., `hash@DNSSec = SHA1+` or `hash@BIND = SHA1+` restricts enabling SHA-1 to usage within DNSSec or even just BIND server specifically. See crypto-policies(7) for the list of scopes and more details on the syntax. With the introduction of scopes, the following derived properties has been deprecated: `tls_cipher`, `ssh_cipher`, `ssh_group`, `ike_protocol`, `sha1_in_dnssec`. In addition, unscoped `protocol` property is now deprecated as well. See crypto-policies(7) or deprecation warnings for recommended replacements. Directives can now use asterisks for specifying values using wildcards, e.g., `cipher@SSH = -*-CBC` will disable all CBC ciphers for use with SSH, not just acting as a shorthand for `cipher@SSH = -AES-128-CBC -AES-256-CBC ...` but also matching CBC ciphers that could be added in future updates. See crypto-policies(7) for more details and caveats on using wildcards. |
||
| Mirek Jahoda | 2021-10-04 13:19:59 UTC | Flags | needinfo?(asosedki) | |
| Alexander Sosedkin | 2021-10-04 13:54:28 UTC | Flags | needinfo?(asosedki) | |
| Mirek Jahoda | 2021-10-06 09:21:40 UTC | Blocks | 2011208 | |
| Mirek Jahoda | 2021-10-06 14:22:23 UTC | Doc Text | Rebase package(s) to version: 20210617-1.gitc776d3e.el8 Highlights, important fixes, or notable enhancements: Scoped policies support has been implemented, meaning that back-ends can now have different sets of algorithms enabled. To make use of this, add scopes to the directives in custom policies/subpolicies; e.g., `hash@DNSSec = SHA1+` or `hash@BIND = SHA1+` restricts enabling SHA-1 to usage within DNSSec or even just BIND server specifically. See crypto-policies(7) for the list of scopes and more details on the syntax. With the introduction of scopes, the following derived properties has been deprecated: `tls_cipher`, `ssh_cipher`, `ssh_group`, `ike_protocol`, `sha1_in_dnssec`. In addition, unscoped `protocol` property is now deprecated as well. See crypto-policies(7) or deprecation warnings for recommended replacements. Directives can now use asterisks for specifying values using wildcards, e.g., `cipher@SSH = -*-CBC` will disable all CBC ciphers for use with SSH, not just acting as a shorthand for `cipher@SSH = -AES-128-CBC -AES-256-CBC ...` but also matching CBC ciphers that could be added in future updates. See crypto-policies(7) for more details and caveats on using wildcards. | .`crypto-policies` rebased to 20210617-1 The `crypto-policies` packages have been upgraded to upstream version 20210617-1, which provides a number of enhancements and bug fixes over the previous version: * You can now use scoped policies and enable different sets of algorithms for different back ends. To add scopes to directives in custom policies, use the `option@{scope1, scope2, ...}` syntax. For example, the following directive limits SHA-1-based hashes to the DNSSec and BIND services: + ---- hash@DNSSec,BIND = SHA1+ ---- * Directives can now use asterisks for specifying values using wildcards. For example, the following directive disables all CBC ciphers for use with the SSH protocol: + ---- cipher@SSH = -*-CBC ---- |
| Alexander Sosedkin | 2021-10-06 15:02:29 UTC | Doc Text | .`crypto-policies` rebased to 20210617-1 The `crypto-policies` packages have been upgraded to upstream version 20210617-1, which provides a number of enhancements and bug fixes over the previous version: * You can now use scoped policies and enable different sets of algorithms for different back ends. To add scopes to directives in custom policies, use the `option@{scope1, scope2, ...}` syntax. For example, the following directive limits SHA-1-based hashes to the DNSSec and BIND services: + ---- hash@DNSSec,BIND = SHA1+ ---- * Directives can now use asterisks for specifying values using wildcards. For example, the following directive disables all CBC ciphers for use with the SSH protocol: + ---- cipher@SSH = -*-CBC ---- | .`crypto-policies` rebased to 20210617 The `crypto-policies` packages have been upgraded to upstream version 20210617, which provides a number of enhancements and bug fixes over the previous version, most notably: * You can now use scoped policies to enable different sets of algorithms for different back ends. Each configuration directive can now be limited to specific protocols, libraries or services. Please refer to the `crypto-policies(7)` man page for the complete list of available scopes and details on the new syntax. For example, the following directive allows using AES-256-CBC cipher with the SSH protocol, impacting both libssh and openssh: + ---- cipher@SSH = AES-256-CBC+ ---- * Directives can now use asterisks for specifying multiple values using wildcards. Mind that future updates can introduce new algorithms matched by existing wildcards. For example, the following directive disables all CBC mode ciphers for applications using libssh: + ---- cipher@libssh = -*-CBC ---- |
| Mirek Jahoda | 2021-10-06 15:26:51 UTC | Doc Text | .`crypto-policies` rebased to 20210617 The `crypto-policies` packages have been upgraded to upstream version 20210617, which provides a number of enhancements and bug fixes over the previous version, most notably: * You can now use scoped policies to enable different sets of algorithms for different back ends. Each configuration directive can now be limited to specific protocols, libraries or services. Please refer to the `crypto-policies(7)` man page for the complete list of available scopes and details on the new syntax. For example, the following directive allows using AES-256-CBC cipher with the SSH protocol, impacting both libssh and openssh: + ---- cipher@SSH = AES-256-CBC+ ---- * Directives can now use asterisks for specifying multiple values using wildcards. Mind that future updates can introduce new algorithms matched by existing wildcards. For example, the following directive disables all CBC mode ciphers for applications using libssh: + ---- cipher@libssh = -*-CBC ---- | .`crypto-policies` rebased to 20210617 The `crypto-policies` packages have been upgraded to upstream version 20210617, which provides a number of enhancements and bug fixes over the previous version, most notably: * You can now use scoped policies to enable different sets of algorithms for different back ends. Each configuration directive can now be limited to specific protocols, libraries or services. Please refer to the `crypto-policies(7)` man page for the complete list of available scopes and details on the new syntax. For example, the following directive allows using AES-256-CBC cipher with the SSH protocol, impacting both the `libssh` library and the OpenSSH suite: + ---- cipher@SSH = AES-256-CBC+ ---- * Directives can now use asterisks for specifying multiple values using wildcards. For example, the following directive disables all CBC mode ciphers for applications using `libssh`: + ---- cipher@libssh = -*-CBC ---- + Note that future updates can introduce new algorithms matched by the current wildcards. |
| errata-xmlrpc | 2021-11-09 00:44:51 UTC | Status | VERIFIED | RELEASE_PENDING |
| Jan Fiala | 2021-11-09 10:11:11 UTC | Doc Text | .`crypto-policies` rebased to 20210617 The `crypto-policies` packages have been upgraded to upstream version 20210617, which provides a number of enhancements and bug fixes over the previous version, most notably: * You can now use scoped policies to enable different sets of algorithms for different back ends. Each configuration directive can now be limited to specific protocols, libraries or services. Please refer to the `crypto-policies(7)` man page for the complete list of available scopes and details on the new syntax. For example, the following directive allows using AES-256-CBC cipher with the SSH protocol, impacting both the `libssh` library and the OpenSSH suite: + ---- cipher@SSH = AES-256-CBC+ ---- * Directives can now use asterisks for specifying multiple values using wildcards. For example, the following directive disables all CBC mode ciphers for applications using `libssh`: + ---- cipher@libssh = -*-CBC ---- + Note that future updates can introduce new algorithms matched by the current wildcards. | .`crypto-policies` rebased to 20210617 The `crypto-policies` packages have been upgraded to upstream version 20210617, which provides a number of enhancements and bug fixes over the previous version, most notably: * You can now use scoped policies to enable different sets of algorithms for different back ends. Each configuration directive can now be limited to specific protocols, libraries or services. For a complete list of available scopes and details on the new syntax, see the `crypto-policies(7)` man page. For example, the following directive allows using AES-256-CBC cipher with the SSH protocol, impacting both the `libssh` library and the OpenSSH suite: + ---- cipher@SSH = AES-256-CBC+ ---- * Directives can now use asterisks for specifying multiple values using wildcards. For example, the following directive disables all CBC mode ciphers for applications using `libssh`: + ---- cipher@libssh = -*-CBC ---- + Note that future updates can introduce new algorithms matched by the current wildcards. |
| CC | jafiala | |||
| errata-xmlrpc | 2021-11-09 19:51:36 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2021-11-09 19:51:36 UTC | |||
| errata-xmlrpc | 2021-11-09 19:51:46 UTC | Link ID | Red Hat Product Errata RHBA-2021:4460 | |
| Mirek Jahoda | 2022-01-05 17:16:05 UTC | Doc Text | .`crypto-policies` rebased to 20210617 The `crypto-policies` packages have been upgraded to upstream version 20210617, which provides a number of enhancements and bug fixes over the previous version, most notably: * You can now use scoped policies to enable different sets of algorithms for different back ends. Each configuration directive can now be limited to specific protocols, libraries or services. For a complete list of available scopes and details on the new syntax, see the `crypto-policies(7)` man page. For example, the following directive allows using AES-256-CBC cipher with the SSH protocol, impacting both the `libssh` library and the OpenSSH suite: + ---- cipher@SSH = AES-256-CBC+ ---- * Directives can now use asterisks for specifying multiple values using wildcards. For example, the following directive disables all CBC mode ciphers for applications using `libssh`: + ---- cipher@libssh = -*-CBC ---- + Note that future updates can introduce new algorithms matched by the current wildcards. | .`crypto-policies` rebased to 20210617 The `crypto-policies` packages have been upgraded to upstream version 20210617, which provides a number of enhancements and bug fixes over the previous version, most notably: * You can now use scoped policies to enable different sets of algorithms for different back ends. Each configuration directive can now be limited to specific protocols, libraries, or services. For a complete list of available scopes and details on the new syntax, see the `crypto-policies(7)` man page. For example, the following directive allows using AES-256-CBC cipher with the SSH protocol, impacting both the `libssh` library and the OpenSSH suite: + ---- cipher@SSH = AES-256-CBC+ ---- * Directives can now use asterisks for specifying multiple values using wildcards. For example, the following directive disables all CBC mode ciphers for applications using `libssh`: + ---- cipher@libssh = -*-CBC ---- + Note that future updates can introduce new algorithms matched by the current wildcards. |
Back to bug 1960266