diff options
| author | Colin Watson <cjwatson@debian.org> | 2015-12-05 14:41:09 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2015-12-05 14:41:09 +0000 |
| commit | e83912709e9904b517a4457c49dbf8e7d77abd4a (patch) | |
| tree | 5f82584aa275c9438ed187f7b25bac79600aeb1d /debian | |
| parent | 72ad2a8d69daa14c8e91283e9aa8be38099cd473 (diff) | |
Add NEWS.Debian documenting cryptographic changes in OpenSSH 7.0 (closes: #806962).
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/NEWS | 27 | ||||
| -rw-r--r-- | debian/changelog | 2 |
2 files changed, 29 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS index 40c7fc0a0..fac24aed5 100644 --- a/debian/NEWS +++ b/debian/NEWS | |||
| @@ -1,3 +1,30 @@ | |||
| 1 | openssh (1:7.1p1-2) UNRELEASED; urgency=medium | ||
| 2 | |||
| 3 | OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe | ||
| 4 | cryptography. | ||
| 5 | |||
| 6 | * Support for the legacy SSH version 1 protocol is disabled by default at | ||
| 7 | compile time. Note that this also means that the Cipher keyword in | ||
| 8 | ssh_config(5) is effectively no longer usable; use Ciphers instead for | ||
| 9 | protocol 2. | ||
| 10 | * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is | ||
| 11 | disabled by default at run-time. It may be re-enabled using the | ||
| 12 | instructions at http://www.openssh.com/legacy.html | ||
| 13 | * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by | ||
| 14 | default at run-time. These may be re-enabled using the instructions at | ||
| 15 | http://www.openssh.com/legacy.html | ||
| 16 | * Support for the legacy v00 cert format has been removed. | ||
| 17 | |||
| 18 | Future releases will retire more legacy cryptography, including: | ||
| 19 | |||
| 20 | * Refusing all RSA keys smaller than 1024 bits (the current minimum is | ||
| 21 | 768 bits). | ||
| 22 | * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc, | ||
| 23 | all arcfour variants, and the rijndael-cbc aliases for AES. | ||
| 24 | * MD5-based HMAC algorithms will be disabled by default. | ||
| 25 | |||
| 26 | -- Colin Watson <cjwatson@debian.org> Thu, 03 Dec 2015 17:59:08 +0000 | ||
| 27 | |||
| 1 | openssh (1:6.7p1-5) unstable; urgency=medium | 28 | openssh (1:6.7p1-5) unstable; urgency=medium |
| 2 | 29 | ||
| 3 | openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list | 30 | openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list |
diff --git a/debian/changelog b/debian/changelog index 672d02bb0..28c547018 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -4,6 +4,8 @@ openssh (1:7.1p1-2) UNRELEASED; urgency=medium | |||
| 4 | * Drop SSH1 keepalive patch. Now that SSH1 is disabled at compile-time, | 4 | * Drop SSH1 keepalive patch. Now that SSH1 is disabled at compile-time, |
| 5 | it's been rejected upstream and there isn't much point carrying it any | 5 | it's been rejected upstream and there isn't much point carrying it any |
| 6 | more. | 6 | more. |
| 7 | * Add NEWS.Debian documenting cryptographic changes in OpenSSH 7.0 | ||
| 8 | (closes: #806962). | ||
| 7 | 9 | ||
| 8 | -- Colin Watson <cjwatson@debian.org> Thu, 03 Dec 2015 11:59:32 +0000 | 10 | -- Colin Watson <cjwatson@debian.org> Thu, 03 Dec 2015 11:59:32 +0000 |
| 9 | 11 | ||