Bug#481192: openssh-server: openssl update with blacklists possibly breaks the system when the admin didn't read dsa mail
Package: openssh-server
Version: 1:4.7p1-9
Severity: important
The recent update has two big problems:
1) Yes it tells the admin that it will replace the host key, but does
not allow him to stop and do that step later.
2) It disables weak keys without further notice.
This was both documented in the DSA, however only about 30000 admins
will read that and as such cannot be considered an information source
that reaches everyone.
Suggestions:
* Add a notice to NEWS.Debian. (Suggestion from Nico Golde.)
* Make "no" an option on replacing the host key.
* Ask whether weak keys should be disabled.
Especially the last point can result in the admin locking himself out of
the system which is bad. Even if this is a users fault this behaviour is
not nice and Debian's priority should by policy be its users.
Helmut
PS: No, I did not encounter this problem by myself. ;-)
Reply to: