| Summary: | dhcpd only supports insecure HMAC-MD5 algorhitm for DDNS | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Tuomo Soini <tis> | ||||
| Component: | dhcp | Assignee: | Pavel Zhukov <pzhukov> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Release Test Team <release-test-team> | ||||
| Severity: | medium | Docs Contact: | Ioanna Gkioka <igkioka> | ||||
| Priority: | medium | ||||||
| Version: | 7.3 | CC: | jstodola, nmavrogi, pasik, pwouters, pzhukov, sbroz, thozza | ||||
| Target Milestone: | rc | Keywords: | FutureFeature, Patch | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | dhcp-4.2.5-61.el7 | Doc Type: | Release Note | ||||
| Doc Text: |
`DDNS` now supports additional algorithms
Previously, the `dhcpd` daemon supported only the `HMAC-MD5` hashing algorithm which is considered insecure for critical applications. As a consequence, the `Dynamic DNS (DDNS)` updates were potentially insecure. This update adds support for additional algorithms: `HMAC-SHA1`, `HMAC-SHA224`, `HMAC-SHA256`, `HMAC-SHA384`, or `HMAC-SHA512`.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-04-10 08:00:52 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1465887, 1465928 | ||||||
| Attachments: |
|
||||||
Fix for Doc Text: "HMAC-MD5" - not MD5. Fixed. The Doc text updated. Thanks, Tuono. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0658 |
Created attachment 1222357 [details] Backported upstream fix dhcp-4.2.5-47.el7 only supports known to be insecure HMAC-MD5 algorhitm for dynamic dns upates. I'd suggest backporting upstream fix which add support for HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512. From e4a2cb79b2679738f56b3803a44c9899f6982c09 Mon Sep 17 00:00:00 2001 From: Thomas Markwalder <tmark> Date: Mon, 8 Sep 2014 11:41:44 -0400 Subject: [PATCH] [v4_2] Addes addtional HMAC TSIG algorithms to DDNS Merges in rt36947