** Description changed: - TBD + @release team: this is a WIP + + As described in [1], arcfour-hmac-md5 and des3-cbc-sha1 are weak, + deprecated algorithms. However, krb5 still includes them in its default + algorithm lists when users do not specify a list with algorithms to be + used. This patch drops these two deprecated algorithms from that default + list. + + Note that we do not intend to remove support for those algorithms at + this moment. For now, we will just drop them from the default list that + the client will try in case the user do not specify any algorithms in + their configuration file. + + [1] + https://web.mit.edu/kerberos/krb5-1.20/doc/admin/enctypes.html#enctype- + compatibility + + The package was successfully built in + https://launchpad.net/~athos/+archive/ubuntu/krb5-enctypes/+packages + + The packages in that PPA install and upgrade successfully and are also + passing autopkgtest runs. + + Since there are no ABI changes (we are changing the default value for a + configuration), there is no need to worry about reverse dependencies + AFAICT. If this becomes an issue, it would likely be due to some + component using a deprecated (insecure) algorithm.
** Summary changed: - Do not default to weak encryption algorithms + [FFe] Do not default to weak encryption algorithms -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2144909 Title: [FFe] Do not default to weak encryption algorithms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2144909/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
