-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable weak security options in dropbear build #1161
Comments
agherzan
pushed a commit
that referenced
this issue
Aug 30, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Fixes #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear Signed-off-by: Andrei Gherzan <andrei@resin.io>
ghost
added
the
flow/in-review
label
Aug 30, 2018
agherzan
pushed a commit
that referenced
this issue
Aug 31, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Fixes #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Aug 31, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Fixes #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - sumo Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Aug 31, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. Fixes #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - krogoth Signed-off-by: Andrei Gherzan <andrei@resin.io
agherzan
pushed a commit
that referenced
this issue
Aug 31, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. Fixes #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - krogoth Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 4, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Fixes #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - morty Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 4, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Fixes #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - pyro Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 4, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. Connected-to: #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - krogoth Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 4, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Connected-to: #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - morty Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 4, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Connected-to: #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - pyro Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 4, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Connected-to: #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - rocko Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 4, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Fixes: #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - sumo Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 11, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. Connected-to: #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - krogoth Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 11, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Connected-to: #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - morty Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 11, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Connected-to: #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - pyro Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 11, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Connected-to: #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - rocko Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 11, 2018
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Fixes: #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - sumo Signed-off-by: Andrei Gherzan <andrei@resin.io>
Merged to development branch. |
ghost
removed
the
flow/in-review
label
Sep 11, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A Nessus scan of resinOS revealed two low priority findings (SSH Server CBC Mode Ciphers Enabled, SSH Weak MAC Algorithms Enabled) related to the dropbear configuration. Unless deliberately enabled for backward compatibility, the request is to add the following options to the Resin dropbear build.
The text was updated successfully, but these errors were encountered: