Disable weak security options in dropbear build #1161
Assignees
Comments
agherzan
pushed a commit
that referenced
this issue
Aug 30, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
* DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in
newer versions mentioned as "too small for security".
Fixes #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear
Signed-off-by: Andrei Gherzan <andrei@resin.io>
ghost
added
the
agherzan
pushed a commit
that referenced
this issue
Aug 31, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
* DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in
newer versions mentioned as "too small for security".
Fixes #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear
Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Aug 31, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
* DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in
newer versions mentioned as "too small for security".
Fixes #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear - sumo
Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Aug 31, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
Fixes #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear - krogoth
Signed-off-by: Andrei Gherzan <andrei@resin.io
agherzan
pushed a commit
that referenced
this issue
Aug 31, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
Fixes #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear - krogoth
Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 4, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
* DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in
newer versions mentioned as "too small for security".
Fixes #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear - morty
Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 4, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
* DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in
newer versions mentioned as "too small for security".
Fixes #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear - pyro
Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 4, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
Connected-to: #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear - krogoth
Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 4, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
* DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in
newer versions mentioned as "too small for security".
Connected-to: #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear - morty
Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 4, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
* DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in
newer versions mentioned as "too small for security".
Connected-to: #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear - pyro
Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 4, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
* DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in
newer versions mentioned as "too small for security".
Connected-to: #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear - rocko
Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 4, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
* DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in
newer versions mentioned as "too small for security".
Fixes: #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear - sumo
Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 11, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
Connected-to: #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear - krogoth
Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 11, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
* DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in
newer versions mentioned as "too small for security".
Connected-to: #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear - morty
Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 11, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
* DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in
newer versions mentioned as "too small for security".
Connected-to: #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear - pyro
Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 11, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
* DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in
newer versions mentioned as "too small for security".
Connected-to: #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear - rocko
Signed-off-by: Andrei Gherzan <andrei@resin.io>
agherzan
pushed a commit
that referenced
this issue
Sep 11, 2018
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
* DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in
newer versions mentioned as "too small for security".
Fixes: #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear - sumo
Signed-off-by: Andrei Gherzan <andrei@resin.io>
|
Merged to development branch. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A Nessus scan of resinOS revealed two low priority findings (SSH Server CBC Mode Ciphers Enabled, SSH Weak MAC Algorithms Enabled) related to the dropbear configuration. Unless deliberately enabled for backward compatibility, the request is to add the following options to the Resin dropbear build.
The text was updated successfully, but these errors were encountered: