From nobody Wed Apr 9 17:34:22 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZXqnq1SzMz5s6Xp for ; Wed, 09 Apr 2025 17:34:39 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io1-f46.google.com (mail-io1-f46.google.com [209.85.166.46]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZXqnn45Dbz3J4m for ; Wed, 09 Apr 2025 17:34:37 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=freebsd.org (policy=none); spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.46 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com Received: by mail-io1-f46.google.com with SMTP id ca18e2360f4ac-854a68f5a9cso566605939f.0 for ; Wed, 09 Apr 2025 10:34:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744220074; x=1744824874; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Nx/EG7c3my9hMl5Jurv/LjpYJQrmF4Xn8zBPdMUkVfk=; b=tFFtaMH06xuCY888J5IVR7ReCavf05MTgw4YeQjegozLey9CRlonXAVlUINxTsrNaj cgaBWex3iQIqan3xJIZNIpBj4odEN2xmXDbJtGdKrj8GBkNRsSMMHtmhAi1/hgZvfALM b9GrLwuSeE8BEgxPTE8rhanVONuJ7pvMxtHuIsHwFbcqH/1MHlDrQXkwEd5gIKGOoxKD b1J3UK0ntEXHgn1cCLqjPzeQbCh3of0bRWw0e4FkQHbz55geKQDmMWGQm0Xy0mnAOJG/ uC4E3yoi79OiddjCqzbod2WlZcWFZP+rOgMaBbPspEJjSaUqupN8dlNiHwA01sIICA91 pnng== X-Gm-Message-State: AOJu0YwmlS5cGutUlZuZAISRzEpto6GD7HkcuV9cU/EuMRN8nX3QShsk rowEWlN5EnaGRSi/ZMpnVOEQlE0iGxikrD2HyH6qA727lJCIQjUrWkcqWY/JZPJ/Xeir+2F53Kp pDS88uDUVcWJzi7nHbHlWJNURMFpJiTIQ X-Gm-Gg: ASbGnctPDORp3UvIbaXRy3Sw13FV+ny0ysFaFUX21aUJ+yIMFDrbFEsP8EkRqR+b1Sh tQinW/CtHeWBvnncxuLsyE6TIbIGZ6BOqKx7o6PgyNhu6NKR17DuTQEBCJcKuJRi2kdsrcBJerD 6nyETlbAf4fAysmiOCdFBnWXNm8/1A7XzH X-Google-Smtp-Source: AGHT+IEhwNwx2k8WPQZRVbzKerjzL/JRST6Hr2jWKTOCQyACDG+mrYstIUEYNcnCA6McCF/NIZEbzstRpnaIydE3sAg= X-Received: by 2002:a05:6602:c8b:b0:85c:5521:cbfe with SMTP id ca18e2360f4ac-861611d0af3mr495711839f.8.1744220073913; Wed, 09 Apr 2025 10:34:33 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 References: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> In-Reply-To: From: Ed Maste Date: Wed, 9 Apr 2025 13:34:22 -0400 X-Gm-Features: ATxdqUE-uFfNRMIPCVzPCjb5e6Aek3Sd9XWTFuOZkezYj7JXUWWGtSPEvoN1K7I Message-ID: Subject: Re: Heads-up: DSA key support being removed from OpenSSH To: Christian Weisgerber Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [1.54 / 15.00]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_SPAM_MEDIUM(0.99)[0.993]; NEURAL_HAM_SHORT(-0.55)[-0.548]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), No valid DKIM,none]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_TWO(0.00)[2]; FREEMAIL_ENVFROM(0.00)[gmail.com]; TO_DN_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; FREEFALL_USER(0.00)[carpeddiem]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.46:from]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.46:from]; R_DKIM_NA(0.00)[]; MISSING_XM_UA(0.00)[]; RBL_SENDERSCORE_REPUT_8(0.00)[209.85.166.46:from]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4ZXqnn45Dbz3J4m X-Spamd-Bar: + On Tue, 1 Apr 2025 at 20:40, Christian Weisgerber wrote: > > Christian Weisgerber: > > > If OpenSSH upstream stick to the published schedule, version 9.9 > > that is now in 13-STABLE/14-STABLE/15-CURRENT will be the _final_ > > release that even includes the DSA code. > > Subject: Call for testing: OpenSSH 10.0 > [...] > Potentially-incompatible changes > -------------------------------- > > * This release removes support for the weak DSA signature > algorithm, completing the deprecation process that began in > 2015 (when DSA was disabled by default) and repeatedly warned > over the the last 12 months. > [...] > > https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041855.html I'm preparing to import OpenSSH 10.0 into the FreeBSD base system, and intend to merge the DSA removal separately in advance. Two reviews are open for this: - https://reviews.freebsd.org/D49739 - https://reviews.freebsd.org/D49740 (rc.d/sshd update from jlduran)