Bug 1375179 - [RFE] RC4 and CBC ciphers shipped with openssh and openssh-server should be removed
Summary: [RFE] RC4 and CBC ciphers shipped with openssh and openssh-server should be r...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh
Version: 7.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 7.4
Assignee: Jakub Jelen
QA Contact: Hubert Kario
URL:
Whiteboard:
Depends On:
Blocks: 1377248 1335929
TreeView+ depends on / blocked
 
Reported: 2016-09-12 12:04 UTC by Muhammad Azhar Shaikh
Modified: 2017-08-01 18:42 UTC (History)
4 users (show)

Fixed In Version: openssh-7.4p1-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 18:42:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2029 normal SHIPPED_LIVE Moderate: openssh security, bug fix, and enhancement update 2017-08-01 18:11:55 UTC
Red Hat Knowledge Base (Solution) 420283 None None None 2016-09-12 12:05:21 UTC

Comment 2 Jakub Jelen 2016-09-14 11:16:01 UTC
Basically the same request is in the bug #1373836 (for RHEL6.9 now). We are aware of this issue and we plan to proceed with removing insecure algorithms in future releases.

Comment 4 Chris Blum 2017-01-01 12:11:20 UTC
While we're at it - can we also remove the arcfour ciphers?
My security scanner (Greenbone) reports:

> Vulnerability Insight
> The ‘arcfour‘ cipher is the Arcfour stream cipher with 128-bit keys. The Arcfour cipher is believed to be
> compatible with the RC4 cipher {[}SCHNEIER{]}. Arcfour (and RC4) has problems with weak keys, and
> should not be used anymore.

Currently this is not yet reflected on the customer portal:
https://access.redhat.com/solutions/420283

But I don't know where I would let them know... So I came here ;)

Comment 10 errata-xmlrpc 2017-08-01 18:42:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2029


Note You need to log in before you can comment on or make changes to this bug.