Re: FYI: SSH1 now disabled at compile-time by default

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



We can be a little louder than release notes. It's probably a little
sketchy to just warn people against 5.x with all the backporting of
security fixes going on.  It'd be nice to say the specific CVE's or
patchsets you'd like people to be sure they're running.  As you say,
there's some nasty capability out there.

And after all these years, there's a lot of trust in you, and OpenSSH.
It's well earned.

It's a good time to be doing this shift.  A lot of crypto is being
sunsetted.  Just recommending a bit more awareness first.


On Wed, Mar 25, 2015 at 1:10 AM, Damien Miller <djm@xxxxxxxxxxx> wrote:

> On Wed, 25 Mar 2015, Dan Kaminsky wrote:
>
> > What would it hurt to announce the release in 3-6 months will drop
> > SSHv1 to a compile time option
>
> We did exactly that in the last release. See what I mean about nobody
> reading the release notes?
>
> > The alternative is they eventually trace back why some random critical
> > system failed to this very thread and are like, yeah, never blindly
> > push *that* guy's code...
>
> I hope nobody ever blindly pushes my code.
>
> -d
>
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux