From nobody Wed Apr 2 00:39:27 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZS5cZ2TRcz5sMHD for ; Wed, 02 Apr 2025 00:40:14 +0000 (UTC) (envelope-from naddy@mips.inka.de) Received: from mail.inka.de (mail.inka.de [IPv6:2a04:c9c7:0:1073:217:a4ff:fe3b:e77c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZS5cX5WqKz3VdZ for ; Wed, 02 Apr 2025 00:40:12 +0000 (UTC) (envelope-from naddy@mips.inka.de) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of naddy@mips.inka.de designates 2a04:c9c7:0:1073:217:a4ff:fe3b:e77c as permitted sender) smtp.mailfrom=naddy@mips.inka.de Received: from mips.inka.de (naddy@[127.0.0.1]) by mail.inka.de with uucp (rmailwrap 0.5) id 1tzm9E-003McB-2y; Wed, 02 Apr 2025 02:40:04 +0200 Received: from lorvorc.mips.inka.de (localhost [127.0.0.1]) by lorvorc.mips.inka.de (8.18.1/8.18.1) with ESMTP id 5320dRaN048519 for ; Wed, 2 Apr 2025 02:39:27 +0200 (CEST) (envelope-from naddy@lorvorc.mips.inka.de) Received: (from naddy@localhost) by lorvorc.mips.inka.de (8.18.1/8.18.1/Submit) id 5320dRYF048518 for freebsd-security@freebsd.org; Wed, 2 Apr 2025 02:39:27 +0200 (CEST) (envelope-from naddy) Date: Wed, 2 Apr 2025 02:39:27 +0200 From: Christian Weisgerber To: freebsd-security@freebsd.org Subject: Re: Heads-up: DSA key support being removed from OpenSSH Message-ID: References: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spamd-Result: default: False [0.74 / 15.00]; NEURAL_SPAM_LONG(1.00)[0.998]; NEURAL_SPAM_MEDIUM(0.86)[0.863]; NEURAL_HAM_SHORT(-0.82)[-0.817]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:202113, ipnet:2a04:c9c7::/32, country:DE]; FREEFALL_USER(0.00)[naddy]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; MISSING_XM_UA(0.00)[]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[inka.de]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4ZS5cX5WqKz3VdZ X-Spamd-Bar: / Christian Weisgerber: > If OpenSSH upstream stick to the published schedule, version 9.9 > that is now in 13-STABLE/14-STABLE/15-CURRENT will be the _final_ > release that even includes the DSA code. Subject: Call for testing: OpenSSH 10.0 [...] Potentially-incompatible changes -------------------------------- * This release removes support for the weak DSA signature algorithm, completing the deprecation process that began in 2015 (when DSA was disabled by default) and repeatedly warned over the the last 12 months. [...] https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041855.html -- Christian "naddy" Weisgerber naddy@mips.inka.de