2015-01-12 16:58:30 |
Richard Hansen |
bug |
|
|
added bug |
2015-01-12 17:27:00 |
Richard Hansen |
bug task added |
|
dropbear (Debian) |
|
2015-01-12 17:43:40 |
Richard Hansen |
attachment added |
|
debdiff for trusty https://bugs.launchpad.net/debian/+source/dropbear/+bug/1409798/+attachment/4296668/+files/dropbear-trusty-debdiff.diff |
|
2015-01-12 17:44:05 |
Richard Hansen |
attachment added |
|
debdiff for utopic/vivid https://bugs.launchpad.net/debian/+source/dropbear/+bug/1409798/+attachment/4296669/+files/dropbear-utopic-vivid-debdiff.diff |
|
2015-01-12 18:02:43 |
Richard Hansen |
attachment removed |
debdiff for trusty https://bugs.launchpad.net/debian/+source/dropbear/+bug/1409798/+attachment/4296668/+files/dropbear-trusty-debdiff.diff |
|
|
2015-01-12 18:02:53 |
Richard Hansen |
attachment removed |
debdiff for utopic/vivid https://bugs.launchpad.net/debian/+source/dropbear/+bug/1409798/+attachment/4296669/+files/dropbear-utopic-vivid-debdiff.diff |
|
|
2015-01-12 18:03:16 |
Richard Hansen |
attachment added |
|
debdiff for trusty https://bugs.launchpad.net/debian/+source/dropbear/+bug/1409798/+attachment/4296679/+files/dropbear-trusty-debdiff.diff |
|
2015-01-12 18:04:03 |
Richard Hansen |
attachment added |
|
debdiff for utopic/vivid https://bugs.launchpad.net/debian/+source/dropbear/+bug/1409798/+attachment/4296680/+files/dropbear-utopic-vivid-debdiff.diff |
|
2015-01-12 18:21:52 |
Richard Hansen |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775222 |
|
2015-01-12 18:21:52 |
Richard Hansen |
dropbear (Debian): importance |
Undecided |
Unknown |
|
2015-01-12 18:21:52 |
Richard Hansen |
dropbear (Debian): status |
New |
Unknown |
|
2015-01-12 18:21:52 |
Richard Hansen |
dropbear (Debian): remote watch |
|
Debian Bug tracker #775222 |
|
2015-01-13 00:29:04 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2015-01-13 00:29:12 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2015-01-13 01:14:42 |
Bug Watch Updater |
dropbear (Debian): status |
Unknown |
New |
|
2015-01-13 16:10:34 |
Brian Murray |
bug |
|
|
added subscriber Brian Murray |
2015-01-13 16:10:39 |
Brian Murray |
dropbear (Ubuntu): importance |
Undecided |
Medium |
|
2015-01-13 16:10:42 |
Brian Murray |
dropbear (Ubuntu): status |
New |
Triaged |
|
2015-01-13 16:10:53 |
Brian Murray |
tags |
patch |
patch trusty utopic vivid |
|
2015-02-04 22:34:41 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/vivid-proposed/dropbear |
|
2015-02-05 00:34:05 |
Launchpad Janitor |
dropbear (Ubuntu): status |
Triaged |
Fix Released |
|
2015-02-07 11:03:43 |
Richard Hansen |
description |
Since version 2013.56, dropbear has supported the hmac-sha2-256 and hmac-sha2-512 MAC algorithms, but they are disabled by default. According to the dropbear changelog, enabling them is a matter of uncommenting the following two lines in options.h:
/*#define DROPBEAR_SHA2_256_HMAC*/
/*#define DROPBEAR_SHA2_512_HMAC*/
Due to recent NSA revelations, some people are recommending users disable certain algorithms. If the recommendations at <https://stribika.github.io/2015/01/04/secure-secure-shell.html> are followed, there are no MAC algorithms left that dropbear supports unless hmac-sha2-256 and hmac-sha2-512 are enabled. |
[Impact]
Since version 2013.56, dropbear has supported the hmac-sha2-256 and hmac-sha2-512 MAC algorithms, but they are disabled by default. According to the dropbear changelog, enabling them is a matter of uncommenting the following two lines in options.h:
/*#define DROPBEAR_SHA2_256_HMAC*/
/*#define DROPBEAR_SHA2_512_HMAC*/
Due to recent NSA revelations, some people are recommending users disable certain algorithms. If the recommendations at <https://stribika.github.io/2015/01/04/secure-secure-shell.html> are followed, there are no MAC algorithms left that dropbear supports unless hmac-sha2-256 and hmac-sha2-512 are enabled.
[Test Case]
Setup steps:
1. install dropbear and openssh-client:
sudo apt-get install dropbear openssh-client
2. if you have openssh-server installed, stop it:
sudo service ssh stop
3. make sure that the dropbear service is enabled by editing
/etc/default/dropbear and setting the NO_START variable to 0 like
this:
NO_START=0
4. start the dropbear service:
sudo service dropbear start
Test steps:
5. try the hmac-sha2-256 MAC:
ssh -o UserKnownHostsFile=/dev/null \
-o MACs=hmac-sha2-256 localhost
6. try the hmac-sha2-512 MAC:
ssh -o UserKnownHostsFile=/dev/null \
-o MACs=hmac-sha2-512 localhost
Cleanup steps:
7. stop the dropbear service:
sudo service dropbear stop
8. if you edited /etc/default/dropbear to enable the dropbear
service, disable it again by editing /etc/default/dropbear and
setting the NO_START variable to 1 like this:
NO_START=1
9. if you stopped the OpenSSH server, restart it:
sudo service ssh start
[Regression Potential]
* Due to being disabled by default upstream, the implementations of
the new MAC algorithms are probably not as well tested as the old
MAC algorithms. This may increase the likelihood of compatibility
or security bugs.
* SSH clients are likely to prefer the new MAC algorithms over the
old MAC algorithms. If either the client or server has an
implementation bug, the ability to connect may be impaired unless
the user configures the client to disallow the new algorithms or
prefer the old algorithms (e.g., via the ssh_config "MACs"
directive in OpenSSH).
* The new MAC algorithms may negatively impact performance. |
|
2015-02-07 21:22:22 |
Richard Hansen |
description |
[Impact]
Since version 2013.56, dropbear has supported the hmac-sha2-256 and hmac-sha2-512 MAC algorithms, but they are disabled by default. According to the dropbear changelog, enabling them is a matter of uncommenting the following two lines in options.h:
/*#define DROPBEAR_SHA2_256_HMAC*/
/*#define DROPBEAR_SHA2_512_HMAC*/
Due to recent NSA revelations, some people are recommending users disable certain algorithms. If the recommendations at <https://stribika.github.io/2015/01/04/secure-secure-shell.html> are followed, there are no MAC algorithms left that dropbear supports unless hmac-sha2-256 and hmac-sha2-512 are enabled.
[Test Case]
Setup steps:
1. install dropbear and openssh-client:
sudo apt-get install dropbear openssh-client
2. if you have openssh-server installed, stop it:
sudo service ssh stop
3. make sure that the dropbear service is enabled by editing
/etc/default/dropbear and setting the NO_START variable to 0 like
this:
NO_START=0
4. start the dropbear service:
sudo service dropbear start
Test steps:
5. try the hmac-sha2-256 MAC:
ssh -o UserKnownHostsFile=/dev/null \
-o MACs=hmac-sha2-256 localhost
6. try the hmac-sha2-512 MAC:
ssh -o UserKnownHostsFile=/dev/null \
-o MACs=hmac-sha2-512 localhost
Cleanup steps:
7. stop the dropbear service:
sudo service dropbear stop
8. if you edited /etc/default/dropbear to enable the dropbear
service, disable it again by editing /etc/default/dropbear and
setting the NO_START variable to 1 like this:
NO_START=1
9. if you stopped the OpenSSH server, restart it:
sudo service ssh start
[Regression Potential]
* Due to being disabled by default upstream, the implementations of
the new MAC algorithms are probably not as well tested as the old
MAC algorithms. This may increase the likelihood of compatibility
or security bugs.
* SSH clients are likely to prefer the new MAC algorithms over the
old MAC algorithms. If either the client or server has an
implementation bug, the ability to connect may be impaired unless
the user configures the client to disallow the new algorithms or
prefer the old algorithms (e.g., via the ssh_config "MACs"
directive in OpenSSH).
* The new MAC algorithms may negatively impact performance. |
[Impact]
Since version 2013.56, dropbear has supported the hmac-sha2-256 and hmac-sha2-512 MAC algorithms. However, until version 2015.67 (released 2015-01-28), they have not been enabled by default. According to the dropbear changelog, enabling them is a matter of uncommenting the following two lines in options.h:
/*#define DROPBEAR_SHA2_256_HMAC*/
/*#define DROPBEAR_SHA2_512_HMAC*/
Due to recent NSA revelations, some people are recommending users disable certain algorithms. If the recommendations at <https://stribika.github.io/2015/01/04/secure-secure-shell.html> are followed, there are no MAC algorithms left that dropbear supports unless hmac-sha2-256 and hmac-sha2-512 are enabled.
[Test Case]
Setup steps:
1. install dropbear and openssh-client:
sudo apt-get install dropbear openssh-client
2. if you have openssh-server installed, stop it:
sudo service ssh stop
3. make sure that the dropbear service is enabled by editing
/etc/default/dropbear and setting the NO_START variable to 0 like
this:
NO_START=0
4. start the dropbear service:
sudo service dropbear start
Test steps:
5. try the hmac-sha2-256 MAC:
ssh -o UserKnownHostsFile=/dev/null \
-o MACs=hmac-sha2-256 localhost
6. try the hmac-sha2-512 MAC:
ssh -o UserKnownHostsFile=/dev/null \
-o MACs=hmac-sha2-512 localhost
Cleanup steps:
7. stop the dropbear service:
sudo service dropbear stop
8. if you edited /etc/default/dropbear to enable the dropbear
service, disable it again by editing /etc/default/dropbear and
setting the NO_START variable to 1 like this:
NO_START=1
9. if you stopped the OpenSSH server, restart it:
sudo service ssh start
[Regression Potential]
* Upstream recently enabled these algorithms by default (version
2015.67 released 2015-01-28), so it is believed they are ready for
production use. The code implementing these hash algorithms has
not changed since 2013.56, so enabling these algorithms for
Trusty (based on 2013.60) should be as safe as enabling them for
Utopic (based on 2014.65). However, because the code has not been
enabled by default for long, it has probably not had as much field
testing and may be more likely to contain compatibility or
security bugs.
* SSH clients are likely to prefer the new MAC algorithms over the
old MAC algorithms. If either the client or server has an
implementation bug, the ability to connect may be impaired unless
the user configures the client to disallow the new algorithms or
prefer the old algorithms (e.g., via the ssh_config "MACs"
directive in OpenSSH).
* The new MAC algorithms may negatively impact performance. |
|
2015-02-07 23:49:36 |
C de-Avillez |
nominated for series |
|
Ubuntu Utopic |
|
2015-02-07 23:49:36 |
C de-Avillez |
bug task added |
|
dropbear (Ubuntu Utopic) |
|
2015-02-07 23:49:36 |
C de-Avillez |
nominated for series |
|
Ubuntu Trusty |
|
2015-02-07 23:49:36 |
C de-Avillez |
bug task added |
|
dropbear (Ubuntu Trusty) |
|
2015-02-08 08:53:57 |
Launchpad Janitor |
branch linked |
|
lp:~a7x/ubuntu/utopic/dropbear/bug1409798 |
|
2015-02-08 09:03:07 |
Launchpad Janitor |
branch linked |
|
lp:~a7x/ubuntu/trusty/dropbear/bug1409798 |
|
2015-02-08 09:08:43 |
Richard Hansen |
attachment removed |
debdiff for utopic/vivid https://bugs.launchpad.net/ubuntu/+source/dropbear/+bug/1409798/+attachment/4296680/+files/dropbear-utopic-vivid-debdiff.diff |
|
|
2015-02-08 09:08:56 |
Richard Hansen |
attachment removed |
debdiff for trusty https://bugs.launchpad.net/ubuntu/+source/dropbear/+bug/1409798/+attachment/4296679/+files/dropbear-trusty-debdiff.diff |
|
|
2015-02-08 09:11:07 |
Richard Hansen |
attachment added |
|
debdiff for trusty https://bugs.launchpad.net/ubuntu/+source/dropbear/+bug/1409798/+attachment/4314671/+files/dropbear-trusty-debdiff.diff |
|
2015-02-08 09:12:11 |
Richard Hansen |
attachment added |
|
debdiff for utopic https://bugs.launchpad.net/ubuntu/+source/dropbear/+bug/1409798/+attachment/4314672/+files/dropbear-utopic-debdiff.diff |
|
2015-02-10 21:28:52 |
Brian Murray |
dropbear (Ubuntu Trusty): status |
New |
Triaged |
|
2015-02-10 21:28:55 |
Brian Murray |
dropbear (Ubuntu Utopic): status |
New |
Triaged |
|
2015-02-10 21:28:58 |
Brian Murray |
dropbear (Ubuntu Trusty): importance |
Undecided |
Medium |
|
2015-02-10 21:29:00 |
Brian Murray |
dropbear (Ubuntu Utopic): importance |
Undecided |
Medium |
|
2015-02-10 21:39:52 |
Brian Murray |
dropbear (Ubuntu Trusty): status |
Triaged |
In Progress |
|
2015-02-10 21:39:54 |
Brian Murray |
dropbear (Ubuntu Utopic): status |
Triaged |
In Progress |
|
2015-02-10 21:39:56 |
Brian Murray |
dropbear (Ubuntu Trusty): assignee |
|
Brian Murray (brian-murray) |
|
2015-02-10 21:39:58 |
Brian Murray |
dropbear (Ubuntu Utopic): assignee |
|
Brian Murray (brian-murray) |
|
2015-02-10 21:40:00 |
Brian Murray |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2015-02-13 08:51:57 |
Timo Aaltonen |
dropbear (Ubuntu Utopic): status |
In Progress |
Fix Committed |
|
2015-02-13 08:51:59 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2015-02-13 08:52:03 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
2015-02-13 08:52:08 |
Timo Aaltonen |
tags |
patch trusty utopic vivid |
patch trusty utopic verification-needed vivid |
|
2015-02-13 08:52:50 |
Timo Aaltonen |
dropbear (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2015-02-13 08:53:52 |
Timo Aaltonen |
tags |
patch trusty utopic verification-needed vivid |
patch trusty utopic verification-needed-trusty verification-needed-utopic vivid |
|
2015-02-13 08:59:17 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-proposed/dropbear |
|
2015-02-13 08:59:19 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/utopic-proposed/dropbear |
|
2015-02-14 22:33:32 |
Richard Hansen |
tags |
patch trusty utopic verification-needed-trusty verification-needed-utopic vivid |
patch trusty utopic verification-done-trusty verification-done-utopic vivid |
|
2015-02-20 02:07:33 |
Richard Hansen |
tags |
patch trusty utopic verification-done-trusty verification-done-utopic vivid |
patch trusty utopic verification-done verification-done-trusty verification-done-utopic vivid |
|
2015-02-25 22:41:37 |
Launchpad Janitor |
dropbear (Ubuntu Utopic): status |
Fix Committed |
Fix Released |
|
2015-02-25 22:41:42 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2015-02-25 22:49:23 |
Launchpad Janitor |
dropbear (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2015-02-25 22:49:40 |
Brian Murray |
removed subscriber SRU Verification |
|
|
|
2015-10-11 19:18:37 |
Bug Watch Updater |
dropbear (Debian): status |
New |
Fix Released |
|