[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#481192: marked as done (openssh-server: openssl update with blacklists possibly breaks the system when the admin didn't read dsa mail)

Your message dated Fri, 2 Jan 2009 16:36:09 +0100 (CET)
with message-id <923382d4e68e4d26cd0b93bf324d8d9a.squirrel@wm.kinkhorst.nl>
and subject line can't be changed anymore
has caused the Debian Bug report #481192,
regarding openssh-server: openssl update with blacklists possibly breaks the system when the admin didn't read dsa mail
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

481192: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481192
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: openssh-server
Version: 1:4.7p1-9
Severity: important

The recent update has two big problems:
1) Yes it tells the admin that it will replace the host key, but does
   not allow him to stop and do that step later.
2) It disables weak keys without further notice.

This was both documented in the DSA, however only about 30000 admins
will read that and as such cannot be considered an information source
that reaches everyone.

 * Add a notice to NEWS.Debian. (Suggestion from Nico Golde.)
 * Make "no" an option on replacing the host key.
 * Ask whether weak keys should be disabled.

Especially the last point can result in the admin locking himself out of
the system which is bad. Even if this is a users fault this behaviour is
not nice and Debian's priority should by policy be its users.


PS: No, I did not encounter this problem by myself. ;-)

--- End Message ---
--- Begin Message ---

Regardless of the views expressed in this bug, the package's behaviour
cannot be meaningfully changed anymore to undo the issues the reporter
described. Even if we would find a better solution, it is reasonable to
assume that nearly everyone has already upgraded their systems so a DSA
update would not add significant value.


--- End Message ---

Reply to: