** Description changed: @release team: this is a WIP As described in [1], arcfour-hmac-md5 and des3-cbc-sha1 are weak, deprecated algorithms. However, krb5 still includes them in its default algorithm lists when users do not specify a list with algorithms to be used. This patch drops these two deprecated algorithms from that default list. Note that we do not intend to remove support for those algorithms at this moment. For now, we will just drop them from the default list that the client will try in case the user do not specify any algorithms in their configuration file. [1] https://web.mit.edu/kerberos/krb5-1.20/doc/admin/enctypes.html#enctype- compatibility The package was successfully built in https://launchpad.net/~athos/+archive/ubuntu/krb5-enctypes/+packages The packages in that PPA install and upgrade successfully and are also passing autopkgtest runs. Since there are no ABI changes (we are changing the default value for a configuration), there is no need to worry about reverse dependencies AFAICT. If this becomes an issue, it would likely be due to some component using a deprecated (insecure) algorithm. + + $ seeded-in-ubuntu krb5 + krb5-doc (from krb5) is seeded in: + ubuntu-budgie: supported + ubuntu: supported + krb5-locales (from krb5) is seeded in: + edubuntu: daily-live, daily-preinstalled + kubuntu: daily-live + lubuntu: daily-live + ubuntu-budgie: daily-live + ubuntu-core-installer: daily-live + ubuntu-mate: daily-live + ubuntu-server: daily-live, daily-preinstalled + ubuntu-unity: daily-live + ubuntu-wsl: daily-live + ubuntu: daily-dangerous, daily-live, daily-preinstalled + ubuntucinnamon: daily-live + ubuntukylin: daily-live + ubuntustudio: daily-live + xubuntu: daily-live, daily-minimal + krb5-multidev (from krb5) is seeded in: + ubuntu-budgie: supported + ubuntu: supported + libgssapi-krb5-2 (from krb5) is seeded in: + edubuntu: daily-live, daily-preinstalled + kubuntu: daily-live + lubuntu: daily-live + ubuntu-budgie: daily-live + ubuntu-core-installer: daily-live + ubuntu-mate: daily-live + ubuntu-server: daily-live, daily-preinstalled + ubuntu-unity: daily-live + ubuntu-wsl: daily-live + ubuntu: daily-dangerous, daily-live, daily-preinstalled + ubuntucinnamon: daily-live + ubuntukylin: daily-live + ubuntustudio: daily-live + xubuntu: daily-live, daily-minimal + libgssrpc4t64 (from krb5) is seeded in: + ubuntu-budgie: supported + ubuntu: supported + libk5crypto3 (from krb5) is seeded in: + edubuntu: daily-live, daily-preinstalled + kubuntu: daily-live + lubuntu: daily-live + ubuntu-budgie: daily-live + ubuntu-core-installer: daily-live + ubuntu-mate: daily-live + ubuntu-server: daily-live, daily-preinstalled + ubuntu-unity: daily-live + ubuntu-wsl: daily-live + ubuntu: daily-dangerous, daily-live, daily-preinstalled + ubuntucinnamon: daily-live + ubuntukylin: daily-live + ubuntustudio: daily-live + xubuntu: daily-live, daily-minimal + libkadm5clnt-mit12 (from krb5) is seeded in: + ubuntu-budgie: supported + ubuntu: supported + libkadm5srv-mit12 (from krb5) is seeded in: + ubuntu-budgie: supported + ubuntu: supported + libkdb5-10t64 (from krb5) is seeded in: + ubuntu-budgie: supported + ubuntu: supported + libkrad-dev (from krb5) is seeded in: + ubuntu-budgie: supported + ubuntu: supported + libkrad0 (from krb5) is seeded in: + ubuntu-budgie: supported + ubuntu: supported + libkrb5-3 (from krb5) is seeded in: + edubuntu: daily-live, daily-preinstalled + kubuntu: daily-live + lubuntu: daily-live + ubuntu-budgie: daily-live + ubuntu-core-installer: daily-live + ubuntu-mate: daily-live + ubuntu-server: daily-live, daily-preinstalled + ubuntu-unity: daily-live + ubuntu-wsl: daily-live + ubuntu: daily-dangerous, daily-live, daily-preinstalled + ubuntucinnamon: daily-live + ubuntukylin: daily-live + ubuntustudio: daily-live + xubuntu: daily-live, daily-minimal + libkrb5-dbg (from krb5) is seeded in: + ubuntu-budgie: supported + ubuntu: supported + libkrb5-dev (from krb5) is seeded in: + ubuntu-budgie: supported + ubuntu: supported + libkrb5support0 (from krb5) is seeded in: + edubuntu: daily-live, daily-preinstalled + kubuntu: daily-live + lubuntu: daily-live + ubuntu-budgie: daily-live + ubuntu-core-installer: daily-live + ubuntu-mate: daily-live + ubuntu-server: daily-live, daily-preinstalled + ubuntu-unity: daily-live + ubuntu-wsl: daily-live + ubuntu: daily-dangerous, daily-live, daily-preinstalled + ubuntucinnamon: daily-live + ubuntukylin: daily-live + ubuntustudio: daily-live + xubuntu: daily-live, daily-minimal
** Description changed: - @release team: this is a WIP - As described in [1], arcfour-hmac-md5 and des3-cbc-sha1 are weak, deprecated algorithms. However, krb5 still includes them in its default algorithm lists when users do not specify a list with algorithms to be used. This patch drops these two deprecated algorithms from that default list. Note that we do not intend to remove support for those algorithms at this moment. For now, we will just drop them from the default list that the client will try in case the user do not specify any algorithms in their configuration file. [1] https://web.mit.edu/kerberos/krb5-1.20/doc/admin/enctypes.html#enctype- compatibility The package was successfully built in https://launchpad.net/~athos/+archive/ubuntu/krb5-enctypes/+packages The packages in that PPA install and upgrade successfully and are also passing autopkgtest runs. Since there are no ABI changes (we are changing the default value for a configuration), there is no need to worry about reverse dependencies AFAICT. If this becomes an issue, it would likely be due to some component using a deprecated (insecure) algorithm. $ seeded-in-ubuntu krb5 krb5-doc (from krb5) is seeded in: - ubuntu-budgie: supported - ubuntu: supported + ubuntu-budgie: supported + ubuntu: supported krb5-locales (from krb5) is seeded in: - edubuntu: daily-live, daily-preinstalled - kubuntu: daily-live - lubuntu: daily-live - ubuntu-budgie: daily-live - ubuntu-core-installer: daily-live - ubuntu-mate: daily-live - ubuntu-server: daily-live, daily-preinstalled - ubuntu-unity: daily-live - ubuntu-wsl: daily-live - ubuntu: daily-dangerous, daily-live, daily-preinstalled - ubuntucinnamon: daily-live - ubuntukylin: daily-live - ubuntustudio: daily-live - xubuntu: daily-live, daily-minimal + edubuntu: daily-live, daily-preinstalled + kubuntu: daily-live + lubuntu: daily-live + ubuntu-budgie: daily-live + ubuntu-core-installer: daily-live + ubuntu-mate: daily-live + ubuntu-server: daily-live, daily-preinstalled + ubuntu-unity: daily-live + ubuntu-wsl: daily-live + ubuntu: daily-dangerous, daily-live, daily-preinstalled + ubuntucinnamon: daily-live + ubuntukylin: daily-live + ubuntustudio: daily-live + xubuntu: daily-live, daily-minimal krb5-multidev (from krb5) is seeded in: - ubuntu-budgie: supported - ubuntu: supported + ubuntu-budgie: supported + ubuntu: supported libgssapi-krb5-2 (from krb5) is seeded in: - edubuntu: daily-live, daily-preinstalled - kubuntu: daily-live - lubuntu: daily-live - ubuntu-budgie: daily-live - ubuntu-core-installer: daily-live - ubuntu-mate: daily-live - ubuntu-server: daily-live, daily-preinstalled - ubuntu-unity: daily-live - ubuntu-wsl: daily-live - ubuntu: daily-dangerous, daily-live, daily-preinstalled - ubuntucinnamon: daily-live - ubuntukylin: daily-live - ubuntustudio: daily-live - xubuntu: daily-live, daily-minimal + edubuntu: daily-live, daily-preinstalled + kubuntu: daily-live + lubuntu: daily-live + ubuntu-budgie: daily-live + ubuntu-core-installer: daily-live + ubuntu-mate: daily-live + ubuntu-server: daily-live, daily-preinstalled + ubuntu-unity: daily-live + ubuntu-wsl: daily-live + ubuntu: daily-dangerous, daily-live, daily-preinstalled + ubuntucinnamon: daily-live + ubuntukylin: daily-live + ubuntustudio: daily-live + xubuntu: daily-live, daily-minimal libgssrpc4t64 (from krb5) is seeded in: - ubuntu-budgie: supported - ubuntu: supported + ubuntu-budgie: supported + ubuntu: supported libk5crypto3 (from krb5) is seeded in: - edubuntu: daily-live, daily-preinstalled - kubuntu: daily-live - lubuntu: daily-live - ubuntu-budgie: daily-live - ubuntu-core-installer: daily-live - ubuntu-mate: daily-live - ubuntu-server: daily-live, daily-preinstalled - ubuntu-unity: daily-live - ubuntu-wsl: daily-live - ubuntu: daily-dangerous, daily-live, daily-preinstalled - ubuntucinnamon: daily-live - ubuntukylin: daily-live - ubuntustudio: daily-live - xubuntu: daily-live, daily-minimal + edubuntu: daily-live, daily-preinstalled + kubuntu: daily-live + lubuntu: daily-live + ubuntu-budgie: daily-live + ubuntu-core-installer: daily-live + ubuntu-mate: daily-live + ubuntu-server: daily-live, daily-preinstalled + ubuntu-unity: daily-live + ubuntu-wsl: daily-live + ubuntu: daily-dangerous, daily-live, daily-preinstalled + ubuntucinnamon: daily-live + ubuntukylin: daily-live + ubuntustudio: daily-live + xubuntu: daily-live, daily-minimal libkadm5clnt-mit12 (from krb5) is seeded in: - ubuntu-budgie: supported - ubuntu: supported + ubuntu-budgie: supported + ubuntu: supported libkadm5srv-mit12 (from krb5) is seeded in: - ubuntu-budgie: supported - ubuntu: supported + ubuntu-budgie: supported + ubuntu: supported libkdb5-10t64 (from krb5) is seeded in: - ubuntu-budgie: supported - ubuntu: supported + ubuntu-budgie: supported + ubuntu: supported libkrad-dev (from krb5) is seeded in: - ubuntu-budgie: supported - ubuntu: supported + ubuntu-budgie: supported + ubuntu: supported libkrad0 (from krb5) is seeded in: - ubuntu-budgie: supported - ubuntu: supported + ubuntu-budgie: supported + ubuntu: supported libkrb5-3 (from krb5) is seeded in: - edubuntu: daily-live, daily-preinstalled - kubuntu: daily-live - lubuntu: daily-live - ubuntu-budgie: daily-live - ubuntu-core-installer: daily-live - ubuntu-mate: daily-live - ubuntu-server: daily-live, daily-preinstalled - ubuntu-unity: daily-live - ubuntu-wsl: daily-live - ubuntu: daily-dangerous, daily-live, daily-preinstalled - ubuntucinnamon: daily-live - ubuntukylin: daily-live - ubuntustudio: daily-live - xubuntu: daily-live, daily-minimal + edubuntu: daily-live, daily-preinstalled + kubuntu: daily-live + lubuntu: daily-live + ubuntu-budgie: daily-live + ubuntu-core-installer: daily-live + ubuntu-mate: daily-live + ubuntu-server: daily-live, daily-preinstalled + ubuntu-unity: daily-live + ubuntu-wsl: daily-live + ubuntu: daily-dangerous, daily-live, daily-preinstalled + ubuntucinnamon: daily-live + ubuntukylin: daily-live + ubuntustudio: daily-live + xubuntu: daily-live, daily-minimal libkrb5-dbg (from krb5) is seeded in: - ubuntu-budgie: supported - ubuntu: supported + ubuntu-budgie: supported + ubuntu: supported libkrb5-dev (from krb5) is seeded in: - ubuntu-budgie: supported - ubuntu: supported + ubuntu-budgie: supported + ubuntu: supported libkrb5support0 (from krb5) is seeded in: - edubuntu: daily-live, daily-preinstalled - kubuntu: daily-live - lubuntu: daily-live - ubuntu-budgie: daily-live - ubuntu-core-installer: daily-live - ubuntu-mate: daily-live - ubuntu-server: daily-live, daily-preinstalled - ubuntu-unity: daily-live - ubuntu-wsl: daily-live - ubuntu: daily-dangerous, daily-live, daily-preinstalled - ubuntucinnamon: daily-live - ubuntukylin: daily-live - ubuntustudio: daily-live - xubuntu: daily-live, daily-minimal + edubuntu: daily-live, daily-preinstalled + kubuntu: daily-live + lubuntu: daily-live + ubuntu-budgie: daily-live + ubuntu-core-installer: daily-live + ubuntu-mate: daily-live + ubuntu-server: daily-live, daily-preinstalled + ubuntu-unity: daily-live + ubuntu-wsl: daily-live + ubuntu: daily-dangerous, daily-live, daily-preinstalled + ubuntucinnamon: daily-live + ubuntukylin: daily-live + ubuntustudio: daily-live + xubuntu: daily-live, daily-minimal ** Tags added: server-todo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2144909 Title: [FFe] Do not default to weak encryption algorithms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2144909/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
