-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dropbear: Enhanced security options #1163
Conversation
@agherzan, status checks have failed for this PR. Please make appropriate changes and recommit. |
11a97fc
to
b993e59
Compare
@agherzan, status checks have failed for this PR. Please make appropriate changes and recommit. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Surprised these are enabled by default.
b993e59
to
836dc07
Compare
@agherzan, status checks have failed for this PR. Please make appropriate changes and recommit. |
2 similar comments
@agherzan, status checks have failed for this PR. Please make appropriate changes and recommit. |
@agherzan, status checks have failed for this PR. Please make appropriate changes and recommit. |
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. Connected-to: #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - krogoth Signed-off-by: Andrei Gherzan <andrei@resin.io>
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Connected-to: #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - morty Signed-off-by: Andrei Gherzan <andrei@resin.io>
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Connected-to: #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - pyro Signed-off-by: Andrei Gherzan <andrei@resin.io>
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Connected-to: #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - rocko Signed-off-by: Andrei Gherzan <andrei@resin.io>
We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Fixes: #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - sumo Signed-off-by: Andrei Gherzan <andrei@resin.io>
4207b25
to
824d45b
Compare
Dropped in favour of: #1171 |
We deactivate various configuration knobs which have security concerns:
reported by OpenVAS as a low severity security issue.
an attacker to obtain plaintext from a block of cyphertext.
newer versions mentioned as "too small for security".
Fixes #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear
Signed-off-by: Andrei Gherzan andrei@resin.io
Contributor checklist
Change-type
present on at least one commitSigned-off-by
is presentReviewer Guidelines