Add NEWS.Debian documenting cryptographic changes in OpenSSH 7.0 (closes: #806962).

author: Colin Watson <cjwatson@debian.org> 2015-12-05 14:41:09 +0000
committer: Colin Watson <cjwatson@debian.org> 2015-12-05 14:41:09 +0000
commit: e83912709e9904b517a4457c49dbf8e7d77abd4a (patch)
tree: 5f82584aa275c9438ed187f7b25bac79600aeb1d /debian/NEWS
parent: 72ad2a8d69daa14c8e91283e9aa8be38099cd473 (diff)
1 files changed, 27 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
index 40c7fc0a0..fac24aed5 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,30 @@
+openssh (1:7.1p1-2) UNRELEASED; urgency=medium
+  OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
+  cryptography.
+   * Support for the legacy SSH version 1 protocol is disabled by default at
+     compile time.  Note that this also means that the Cipher keyword in
+     ssh_config(5) is effectively no longer usable; use Ciphers instead for
+     protocol 2.
+   * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
+     disabled by default at run-time.  It may be re-enabled using the
+     instructions at http://www.openssh.com/legacy.html
+   * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
+     default at run-time.  These may be re-enabled using the instructions at
+     http://www.openssh.com/legacy.html
+   * Support for the legacy v00 cert format has been removed.
+  Future releases will retire more legacy cryptography, including:
+   * Refusing all RSA keys smaller than 1024 bits (the current minimum is
+     768 bits).
+   * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
+     all arcfour variants, and the rijndael-cbc aliases for AES.
+   * MD5-based HMAC algorithms will be disabled by default.
+ -- Colin Watson <cjwatson@debian.org>  Thu, 03 Dec 2015 17:59:08 +0000
 openssh (1:6.7p1-5) unstable; urgency=medium
  openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list
author	Colin Watson <cjwatson@debian.org>	2015-12-05 14:41:09 +0000
committer	Colin Watson <cjwatson@debian.org>	2015-12-05 14:41:09 +0000
commit	e83912709e9904b517a4457c49dbf8e7d77abd4a (patch)
tree	5f82584aa275c9438ed187f7b25bac79600aeb1d /debian/NEWS
parent	72ad2a8d69daa14c8e91283e9aa8be38099cd473 (diff)

diff --git a/debian/NEWS b/debian/NEWS index 40c7fc0a0..fac24aed5 100644 --- a/debian/NEWS +++ b/debian/NEWS
@@ -1,3 +1,30 @@
		1	openssh (1:7.1p1-2) UNRELEASED; urgency=medium
		2
		3	OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
		4	cryptography.
		5
		6	* Support for the legacy SSH version 1 protocol is disabled by default at
		7	compile time. Note that this also means that the Cipher keyword in
		8	ssh_config(5) is effectively no longer usable; use Ciphers instead for
		9	protocol 2.
		10	* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
		11	disabled by default at run-time. It may be re-enabled using the
		12	instructions at http://www.openssh.com/legacy.html
		13	* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
		14	default at run-time. These may be re-enabled using the instructions at
		15	http://www.openssh.com/legacy.html
		16	* Support for the legacy v00 cert format has been removed.
		17
		18	Future releases will retire more legacy cryptography, including:
		19
		20	* Refusing all RSA keys smaller than 1024 bits (the current minimum is
		21	768 bits).
		22	* Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
		23	all arcfour variants, and the rijndael-cbc aliases for AES.
		24	* MD5-based HMAC algorithms will be disabled by default.
		25
		26	-- Colin Watson <cjwatson@debian.org> Thu, 03 Dec 2015 17:59:08 +0000
		27
1	openssh (1:6.7p1-5) unstable; urgency=medium	28	openssh (1:6.7p1-5) unstable; urgency=medium
2		29
3	openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list	30	openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list