From owner-freebsd-security@freebsd.org Sat Sep 11 17:37:10 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DE670675562 for ; Sat, 11 Sep 2021 17:37:10 +0000 (UTC) (envelope-from freebsd@simonhoffmann.net) Received: from mxbackup.hetzner.hoffbox.net (mxbackup.hetzner.hoffbox.net [IPv6:2a01:4f8:c0c:21d4::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mxbackup.hetzner.hoffbox.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H6KgT0wYtz3Hb4 for ; Sat, 11 Sep 2021 17:37:08 +0000 (UTC) (envelope-from freebsd@simonhoffmann.net) Received: from uhura.hoffmann.computer (188.192.38.198 [188.192.38.198]) by mxbackup.hetzner.hoffbox.net (OpenSMTPD) with ESMTPS id f26124c3 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Sat, 11 Sep 2021 17:37:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=simonhoffmann.net; s=dkim1; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=+LzEN+z144JpQPyJZxYxeFSybUdrStSymZzLkbelEM0=; b=X4qqhJkxLIXbe/yO5ZGyyk1Fu9 mtebphaGncdtoIRqI9XPnOT/Vp6QkU7KGI/JQ6kCcKZ0KdRgeX13NkcP8kC8ZBUNhuolEo0TAqcMQ /yNvCXqkKVPOLKtzU2FSVwDZ137VeaRMLGKdVbdMubPC1gkmcNpW0JKce4AOn/MzwIDJG+DnNXrv0 3mgQslkfOmcYTDTjFm6o19FeTo7+FvEyQxkKhgntPnKlQ6oogxJ5GsCvuYu5QbGR9kR5ASiTfIlFY 4O/oPCiKrZbOgB4qqLfCSIUWmAF3ftZV78fcdee/wDL9DaPctvemHLE9tYwTVTKC/xHcEH4YIRCZ+ OyG+iAyw==; Received: from [192.168.170.81] (port=51616 helo=admin02.HOFF.local) by uhura.hoffmann.computer with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mP6vv-0001Cm-1O; Sat, 11 Sep 2021 19:36:56 +0200 X-SASI-Hits: BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_SIZE_1300_1399 0.000000, BODY_SIZE_2000_LESS 0.000000, BODY_SIZE_5000_LESS 0.000000, BODY_SIZE_7000_LESS 0.000000, HTML_00_01 0.050000, HTML_00_10 0.050000, IN_REP_TO 0.000000, LEGITIMATE_SIGNS 0.000000, MSG_THREAD 0.000000, MULTIPLE_REAL_RCPTS 0.000000, NO_CTA_URI_FOUND 0.000000, NO_FUR_HEADER 0.000000, NO_URI_FOUND 0.000000, NO_URI_HTTPS 0.000000, OUTBOUND 0.000000, OUTBOUND_SOPHOS 0.000000, REFERENCES 0.000000, SENDER_NO_AUTH 0.000000, __ATTACHMENT_NOT_IMG 0.000000, __ATTACHMENT_SIZE_0_10K 0.000000, __BODY_NO_MAILTO 0.000000, __BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000, __CD 0.000000, __CT 0.000000, __CTYPE_HAS_BOUNDARY 0.000000, __CTYPE_MULTIPART 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000, __FORWARDED_MSG 0.000000, __FRAUD_SUBJ_A 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000, __FUR_RDNS_SOPHOS 0.000000, __HAS_ATTACHMENT 0.000000, __HAS_ATTACHMENT1 0.000000, __HAS_ATTACHMENT2 0.000000, __HAS_CC_HDR 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000, __HEADER_ORDER_FROM 0.000000, __IN_REP_TO 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000, __MSGID_DOMAIN_NOT_IN_HDRS 0.000000, __OUTBOUND_SOPHOS_FUR 0.000000, __OUTBOUND_SOPHOS_FUR_IP 0.000000, __OUTBOUND_SOPHOS_FUR_RDNS 0.000000, __PHISH_PHRASE11 0.000000, __PHISH_SPEAR_SUBJECT 0.000000, __PHISH_SPEAR_SUBJ_ALERT 0.000000, __PHISH_SPEAR_SUBJ_PREDICATE 0.000000, __REFERENCES 0.000000, __SANE_MSGID 0.000000, __SUBJ_ALPHA_END 0.000000, __SUBJ_ALPHA_NEGATE 0.000000, __SUBJ_REPLY 0.000000, __TO_HOST_IN_FROM 0.000000, __TO_MALFORMED_2 0.000000, __TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000, __TO_REAL_NAMES 0.000000, __URI_NO_MAILTO 0.000000 X-SASI-Probability: 7% X-SASI-RCODE: 200 X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2021.9.11.170016 Date: Sat, 11 Sep 2021 19:36:55 +0200 From: Simon Hoffmann To: Ed Maste Cc: freebsd-security@freebsd.org Subject: Re: Important note for future FreeBSD base system OpenSSH update Message-ID: <20210911173655.GB76404@admin02.HOFF.local> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="MW5yreqqjyrRcusr" Content-Disposition: inline In-Reply-To: x-sophos-spx-encrypt: 0 abuse: abuse@hoffmann.computer X-Rspamd-Queue-Id: 4H6KgT0wYtz3Hb4 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=simonhoffmann.net header.s=dkim1 header.b=X4qqhJkx; dmarc=pass (policy=none) header.from=simonhoffmann.net; spf=pass (mx1.freebsd.org: domain of freebsd@simonhoffmann.net designates 2a01:4f8:c0c:21d4::1 as permitted sender) smtp.mailfrom=freebsd@simonhoffmann.net X-Spamd-Result: default: False [-6.10 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[simonhoffmann.net:s=dkim1]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[simonhoffmann.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[simonhoffmann.net,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security]; RECEIVED_SPAMHAUS_PBL(0.00)[188.192.38.198:received] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Sep 2021 17:37:10 -0000 --MW5yreqqjyrRcusr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > The notice includes a command to run to determine if a server will be > affected by this issue - I would appreciate it if folks can try it > with servers they use and report back, to help determine if this will > be an issue in practice and to help guide the next base system update. I'm not exactly sure what you are expecting as a report. I still have some very old keys that use ssh-rsa. I've noticed this on an OpenBSD -snapshot test vm, as i was unable to connect. So, yes, I will be affected, if I do not replace my old keys by then. which then probably is a good opportunity to organise my keys and not have like 200 different keys :) Simon --MW5yreqqjyrRcusr Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEgjIuaCUBjJygpxHp5Ekk+95XePwFAmE86TcACgkQ5Ekk+95X ePw4ugf8C9MwciUBXPhYns3rBtahBFcQuXf9MzjWecljVzouBSdZAdVb+QvJ3YGV ooP+xcDbHfal+ZTYdwNxozEu6sfRqYlejie2FfkQunaQ4OzBQ92SS8yGqtZ4HabK 1x5qzSSQuYewuNoRSv+1WoJPzPpc69DMxR+7or2eJNZrXvMu4Wm7Mo7IJDV52iEF QkfsPyaL7YAinHCofg152Jl1c51IwRikPtlws/zpsmavTB52BjepUp+BFY13QAtr iuXCjmYJmrcydlcqc0GbtIe5HNZmdTaprkM72uMWxzdLE+Hav83Zxb5UbDaqvyNn qHv4pYC79jmcbxhYKHtoNs/hUb2ryA== =GqUp -----END PGP SIGNATURE----- --MW5yreqqjyrRcusr--