Could we do a bugfix release 2.13.2 for Apache MINA sshd, please?
I know it's only one change, but I think it's worth it. In 2.13.0 we had introduced an implementation for the sntrup761x25519-s...@openssh.com key exchange method, which is supposed to be quantum-safe. Unfortunately the implementation had a bug[1] that made this key exchange method fail with a probability of roughly 1/256. This went unnoticed in CI because our tests perform only a small number of connections against a known (OpenSSH) server. In the tests we were "lucky" so far that this bug has never surfaced. The bug occurs if the 32-byte result of the curve25519 key agreement happens to start with a zero byte. I only noticed it when I was benchmarking and doing hundreds of connections to an OpenSSH server. The bug is fixed[2] and the CI builds are green[3]. Since the fix, my local benchmarks (against an OpenSSH server, using this sntrup761x25519-s...@openssh.com key exchange) have never failed again in thousands of connections, so I'm confident that the fix indeed is correct. I would prefer to have a bugfix release for this and not mix it with other things. The pending performance improvements form PR 530 can go into the next 2.14.0 release then. Cheers, Thomas [1] https://github.com/apache/mina-sshd/issues/525 [2] https://github.com/apache/mina-sshd/commit/5b00c1fc592 [3] https://github.com/apache/mina-sshd/actions/runs/9943730618 [4] https://github.com/apache/mina-sshd/pull/530 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
