What exactly are we supposed to do in this? Is this a review request?

(In reply to Matthias Gerstner from comment #1)
> What exactly are we supposed to do in this? Is this a review request?

I would say review and awareness, I mentioned the security component because the changes that will be introduced by adding the crypto-policies support for the mentioned package could affect the cryptographic security levels. Would that be fine?

i think there is no direct action for the product securiy team, unless there is help needed for reviewing adjustments, or help for packaging.

(In reply to pmonrealgonzalez@suse.com from comment #2)
> (In reply to Matthias Gerstner from comment #1)
> > What exactly are we supposed to do in this? Is this a review request?
> 
> I would say review and awareness, I mentioned the security component because the changes that will be introduced by adding the crypto-policies support for the mentioned package could affect the cryptographic security levels. Would that be fine?

If you add any new patches to the existing packages then please point them out
to us and we will look into them. crypto-policies itself was already reviewed
and probably there didn't change that much.

Looking at the java packages, I've noticed that all the openjdk versions support crypto-policies except for java-13-openjdk and java-15-openjdk. The rest of the codestreams introduced the c-p support as included in the patch named fips.patch, these are:
  * java-1_8_0-openjdk
  * java-11-openjdk
  * java-17-openjdk
  * java-18-openjdk
  * java-19-openjdk

@Fridrich, are there any plans to port the fips.patch to the java-13-openjdk and the java-15-openjdk codestreams or the crypto-policies bits in the patch? Just asking, I guess its a lot of work and probably not needed since we can claim the rest of the version to support it. TIA

(In reply to Pedro Monreal Gonzalez from comment #5)
> @Fridrich, are there any plans to port the fips.patch to the java-13-openjdk
> and the java-15-openjdk codestreams or the crypto-policies bits in the
> patch? Just asking, I guess its a lot of work and probably not needed since
> we can claim the rest of the version to support it. TIA

No, they are lacking maintainer and not receiving security patches any more. I should remove them from Factory, I guess.

(In reply to Fridrich Strba from comment #6)
> (In reply to Pedro Monreal Gonzalez from comment #5)
> > @Fridrich, are there any plans to port the fips.patch to the java-13-openjdk
> > and the java-15-openjdk codestreams or the crypto-policies bits in the
> > patch? Just asking, I guess its a lot of work and probably not needed since
> > we can claim the rest of the version to support it. TIA
> 
> No, they are lacking maintainer and not receiving security patches any more.
> I should remove them from Factory, I guess.

OK, thanks for the info! Nothing to do for Java then.

Stunnel submission: https://build.opensuse.org/request/show/1109525

Bind submission: https://build.opensuse.org/request/show/1110298

This is an autogenerated message for OBS integration:
This bug (1211301) was mentioned in
https://build.opensuse.org/request/show/1110323 Factory / bind

Pacemaker submission: https://build.opensuse.org/request/show/1113625

Libssh submission: https://build.opensuse.org/request/show/1113627

Vsftpd submission: https://build.opensuse.org/request/show/1113641

(In reply to Pedro Monreal Gonzalez from comment #14)
> Pacemaker submission: https://build.opensuse.org/request/show/1113625

The pacemaker maintainer will submit this change together with additional changes.

krb5 submission: https://build.opensuse.org/request/show/1153192

mozilla-nss submission: https://build.opensuse.org/request/show/1154074

openssh submission: https://build.opensuse.org/request/show/1155471

php8 submission: https://build.opensuse.org/request/show/1155517

This is an autogenerated message for OBS integration:
This bug (1211301) was mentioned in
https://build.opensuse.org/request/show/1155742 Factory / php8

python38 -> 313 submissions: https://build.opensuse.org/request/show/1155683

On a current check, we have found some packages that still need CP adaption. We are currently checking all Factory sources to find more packages that use functions that set the cipher suite,, i.e.:
  * OpenSSL: SSL_CTX_set_cipher_list
  * GnuTLS: gnutls_priority_set_direct, gnutls_priority_init
  * perl-IO-Socket: SSL_cipher_list
  * perl-Net-SSLeay: CTX_set_cipher_list
  * perl-LWP-UserAgent: SSL_cipher_list
  * ...

Here is a list of identified packages that need to be checked:
 1) strongswan: Probably all done through openssl and adapted packages to CP

 2) openldap2: https://src.fedoraproject.org/rpms/openldap/c/81afb576

 3) libmicrohttpd: https://src.fedoraproject.org/rpms/libmicrohttpd/blob/rawhide/f/gnutls-utilize-system-crypto-policy.patch

 4) gtk-gnutella: Uses gnutls_priority_set_direct() but probably wontfix and follow upstream

 5) csync2: Uses gnutls_priority_set_direct()

 6) gnustep-base: https://src.fedoraproject.org/rpms/gnustep-base/blob/rawhide/f/gnustep-base-use_system-wide_crypto-policies.patch

 7) connman: https://src.fedoraproject.org/rpms/connman/blob/f26/f/connman-1.33-crypto.patch

 8) LibVNCServer: https://src.fedoraproject.org/rpms/libvncserver/blob/rawhide/f/libvncserver-LibVNCServer-0.9.13-system-crypto-policy.patch

 9) xen: https://src.fedoraproject.org/rpms/xen/blob/rawhide/f/xen.fedora.crypt.patch

 10) nginx: Edit nginx.conf.default and replace "ssl_ciphers  HIGH:!aNULL:!MD5;" with PROFILE=SYSTEM;

 11) claws-mail: https://src.fedoraproject.org/rpms/claws-mail/blob/rawhide/f/claws-mail-system-crypto-policies.patch

 12) openconnect: Add the configure option --with-default-gnutls-priority="@OPENCONNECT,SYSTEM"

 13) aria2: Build with --enable-gnutls-system-crypto-policy configure option

 14) net6: Maybe needed https://src.fedoraproject.org/rpms/net6/c/720dc5c777e198884f57c10af6c968f062f0cc24?branch=rawhide

 15) dovecot: https://src.fedoraproject.org/rpms/dovecot/blob/rawhide/f/dovecot-2.0-defaultconfig.patch

 16) libetpan: https://src.fedoraproject.org/rpms/libetpan/blob/rawhide/f/libetpan-1.9.2-cryptopolicy.patch

 17) mutt: Check if  rm -f mutt_ssl.c is needed and use the patch https://src.fedoraproject.org/rpms/mutt/blob/rawhide/f/mutt-1.9.0-ssl_ciphers.patch

We are currently checking for more packages ATM.

This is an autogenerated message for OBS integration:
This bug (1211301) was mentioned in
https://build.opensuse.org/request/show/1157149 Factory / python311

SUSE-SU-2024:1009-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1211301, 1219559, 1219666, 1221854
CVE References: CVE-2023-52425, CVE-2023-6597, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33053](https://smelt.suse.de/incident/33053/)
Sources used:
openSUSE Leap 15.3 (src):
 python39-3.9.19-150300.4.41.1, python39-documentation-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2
openSUSE Leap 15.5 (src):
 python39-3.9.19-150300.4.41.1, python39-documentation-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 python39-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 python39-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 python39-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2
SUSE Enterprise Storage 7.1 (src):
 python39-3.9.19-150300.4.41.1, python39-core-3.9.19-150300.4.41.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2024:1162-1: An update that solves three vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1189495, 1211301, 1219559, 1219666, 1221854
CVE References: CVE-2023-52425, CVE-2023-6597, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33187](https://smelt.suse.de/incident/33187/)
Sources used:
openSUSE Leap 15.4 (src):
 python310-documentation-3.10.14-150400.4.45.1, python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
openSUSE Leap 15.5 (src):
 python310-documentation-3.10.14-150400.4.45.1, python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 python310-3.10.14-150400.4.45.1, python310-core-3.10.14-150400.4.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

This breaks existing openssh setups.

It goes something like this:

On SLE11 a 1024bit RSA key is generated.

Clients connect to the server and save the key as known.

Later SSH is upgraded and generates an ED25519 key.

However, clients who have seen the server before have the 1024bit RSA key, and will reject the server offering a 1024bit RSA key.

It's not clear if the clients don't save the additional keys once they have one or if they reject the server if any of the keys is weak even if strong keys are known.

Either way, this is a regression, clients can no longer connect, for no good reason.

(In reply to Michal Suchanek from comment #34)
> This breaks existing openssh setups.
> 
> It goes something like this:
> 
> On SLE11 a 1024bit RSA key is generated.
> 
> Clients connect to the server and save the key as known.
> 
> Later SSH is upgraded and generates an ED25519 key.
> 
> However, clients who have seen the server before have the 1024bit RSA key,
> and will reject the server offering a 1024bit RSA key.
> 
> It's not clear if the clients don't save the additional keys once they have
> one or if they reject the server if any of the keys is weak even if strong
> keys are known.
> 
> Either way, this is a regression, clients can no longer connect, for no good
> reason.

This change was intended for Factory and it has been introduced in SP6 just this week and I think this is a nice feature for openssh to follow system-wide crypto policies like other packages do already. We are still working on enabling c-p support for all possible packages. I think this should be documented but I'm adding Antonio Larrosa in CC in case this needs to be reverted in SP6 or documented.

The LEGACY policy allows RSA keys with size >= 1024 and DEFAULT has >= 2048. The 1024 keylengths can be enabled by using custom policies as described in the man pages or just using the LEGACY policy temporarily for this:

    * update-crypto-policies --set LEGACY

@Marcus Meissner, what would you advise to do here for SP6? TIA

LEGACY should work with SLE11 , but the DEFAULTs and others profiles are supposed to meet respective current standards. (not RSA 1024 anymore)

This is problem for openssh clients connecting to servers that have been installed a long time ago.

The RSA key may not conform to the policy, the server offers keys with modern algorithms as well but the clients never upgrade to them.

(In reply to Michal Suchanek from comment #34)
> This breaks existing openssh setups.

Addressed in bug 1222831

This does not fix the problem for all users but should fix the default settings on Leap at least.

People who get problems on Tumbleweed are seeing some problem not addressed by this fix, it's available on Tumbleweed for a while already.

SUSE-SU-2024:1556-1: An update that solves three vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1189495, 1211301, 1219559, 1219666, 1221260, 1221854
CVE References: CVE-2023-52425, CVE-2023-6597, CVE-2024-0450
Maintenance Incident: [SUSE:Maintenance:33618](https://smelt.suse.de/incident/33618/)
Sources used:
openSUSE Leap 15.4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
openSUSE Leap 15.5 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
Public Cloud Module 15-SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1
Python 3 Module 15-SP5 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 python311-3.11.9-150400.9.26.1, python311-core-3.11.9-150400.9.26.1, python311-documentation-3.11.9-150400.9.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-RU-2024:2046-1: An update that has one fix can now be installed.

Category: recommended (moderate)
Bug References: 1211301
Maintenance Incident: [SUSE:Maintenance:34259](https://smelt.suse.de/incident/34259/)
Sources used:
openSUSE Leap 15.6 (src):
 php8-fastcgi-8.2.20-150600.3.3.1, php8-embed-8.2.20-150600.3.3.1, apache2-mod_php8-8.2.20-150600.3.3.1, php8-fpm-8.2.20-150600.3.3.1, php8-8.2.20-150600.3.3.1, php8-test-8.2.20-150600.3.3.1
Web and Scripting Module 15-SP6 (src):
 php8-fastcgi-8.2.20-150600.3.3.1, php8-embed-8.2.20-150600.3.3.1, apache2-mod_php8-8.2.20-150600.3.3.1, php8-fpm-8.2.20-150600.3.3.1, php8-8.2.20-150600.3.3.1, php8-test-8.2.20-150600.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.