SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for ssh-audit-3.2.0-lp155.19.1.noarch.rpm :

* Tue Apr 23 2024 Martin Hauke - Update to version 3.2.0
* Added implementation of the DHEat denial-of-service attack (see --dheat option; CVE-2002-20001).
* Expanded filter of CBC ciphers to flag for the Terrapin vulnerability. It now includes more rarely found ciphers.
* Fixed parsing of ecdsa-sha2-nistp
* CA signatures on host keys. Additionally, they are now flagged as potentially back-doored, just as standard host keys are.
* Gracefully handle rare exceptions (i.e.: crashes) while performing GEX tests.
* Built-in policies now include a change log (use -L -v to view them).
* Custom policies now support the allow_algorithm_subset_and_reordering directive to allow targets to pass with a subset and/or re-ordered list of host keys, kex, ciphers, and MACs. This allows for the creation of a baseline policy where targets can optionally implement stricter controls;
* Custom policies now support the allow_larger_keys directive to allow targets to pass with larger host keys, CA keys, and Diffie-Hellman keys. This allows for the creation of a baseline policy where targets can optionally implement stricter controls
* Color output is disabled if the NO_COLOR environment variable is set (see https://no-color.org/).
* Added 1 new key exchange algorithm: gss-nistp384-sha384-
*.
* Added 1 new cipher: aes128-ocbAATTlibassh.org.
* Wed Dec 20 2023 Michael Vetter - Update to 3.1.0:
* Added test for the Terrapin message prefix truncation vulnerability (CVE-2023-48795).
* Dropped support for Python 3.7 (EOL was reached in June 2023).
* Added Python 3.12 support.
* In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match the online hardening guides (note that 3072-bit moduli provide the equivalent of 128-bit symmetric security).
* In Ubuntu 22.04 client policy, moved host key types sk-ssh-ed25519AATTopenssh.com and ssh-ed25519 to the end of all certificate types.
* Updated Ubuntu Server & Client policies for 20.04 and 22.04 to account for key exchange list changes due to Terrapin vulnerability patches.
* Re-organized option host key types for OpenSSH 9.2 server policy to correspond with updated Debian 12 hardening guide.
* Added built-in policies for OpenSSH 9.5 and 9.6.
* Added an additional_notes field to the JSON output.
* Sat Sep 09 2023 Martin Hauke - Update to version 3.0.0
* Results from concurrent scans against multiple hosts are no longer improperly combined.
* Hostname resolution failure no longer causes scans against multiple hosts to terminate unexpectedly.
* Algorithm recommendations resulting from warnings are now printed in yellow instead of red.
* Added failure, warning, and info notes to JSON output (note that this results in a breaking change to the banner protocol, \"enc\", and \"mac\" fields).
* Fixed crash during GEX tests.
* Refined GEX testing against OpenSSH servers: when the fallback mechanism is suspected of being triggered, perform an additional test to obtain more accurate results.
* The color of all notes will be printed in green when the related algorithm is rated good.
* Prioritized host key certificate algorithms for Ubuntu 22.04 LTS client policy.
* Marked all NIST K-, B-, and T-curves as unproven since they are so rarely used.
* Added built-in policy for OpenSSH 9.4.
* Added 12 new host keys
* Added 15 new key exchanges.
* Added 8 new ciphers.
* Added 14 new MACs.
* Mon May 01 2023 Martin Hauke - Update to version 2.9.0
* Dropped support for Python 3.6
* Updated CVE database.
* Added -g and --gex-test for granular GEX modulus size tests.
* JSON \'target\' field now always includes port number.
* JSON output now includes recommendations and CVE data.
* Mixed host key/CA key types (i.e.: RSA host keys signed with ED25519 CAs, etc.) are now properly handled.
* Warnings are now printed for 2048-bit moduli.
* SHA-1 algorithms now cause failures.
* CBC mode ciphers are now warnings instead of failures.
* Generic failure/warning messages replaced with more specific reasons (i.e.:\'using weak cipher\' => \'using broken RC4 cipher\')
* Updated built-in policies to include missing host key size information.
* Added built-in policies for OpenSSH 8.8, 8.9, 9.0, 9.1, 9.2, and 9.3.
* Added 33 new host keys.
* Added 46 new key exchanges.
* Added 28 new ciphers.
* Added 5 new MACs.
* Mon Aug 30 2021 Martin Hauke - Require correct python version
* Thu Aug 26 2021 Martin Hauke - Update to version 2.5.0
* Fixed crash when running host key tests.
* Handles server connection failures more gracefully.
* Now prints JSON with indents when -jj is used (useful for debugging).
* Added MD5 fingerprints to verbose output.
* Added -d/--debug option for getting debugging output.
* Updated JSON output to include MD5 fingerprints. Note that this results in a breaking change in the \'fingerprints\' dictionary format.
* Updated OpenSSH 8.1 (and earlier) policies to include rsa-sha2-512 and rsa-sha2-256.
* Added OpenSSH v8.6 & v8.7 policies.
* Added 3 new key exchanges: + gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q== + gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q== + gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==
* Added 3 new MACs: + hmac-ripemd160-96 + AEAD_AES_128_GCM + AEAD_AES_256_GCM
* Mon Mar 01 2021 Martin Hauke - Update to version 2.4.0
* Added multi-threaded scanning support.
* Added version check for OpenSSH user enumeration (CVE-2018-15473).
* Added deprecation note to host key types based on SHA-1.
* Added extra warnings for SSHv1.
* Added built-in hardened OpenSSH v8.5 policy.
* Upgraded warnings to failures for host key types based on SHA-1
* Fixed crash when receiving unexpected response during host key test.
* Fixed hang against older Cisco devices during host key test & gex test.
* Fixed improper termination while scanning multiple targets when one target returns an error.
* Dropped support for Python 3.5 (which reached EOL in Sept.2020)
* Added 1 new key exchange: sntrup761x25519-sha512AATTopenssh.com.
* Fri Oct 30 2020 Martin Hauke - Update to version 2.3.1
* Now parses public key sizes for rsa-sha2-256-cert-v01AATTopenssh.com and rsa-sha2-512-cert-v01AATTopenssh.com host key types.
* Flag ssh-rsa-cert-v01AATTopenssh.com as a failure due to SHA-1 hash.
* Fixed bug in recommendation output which suppressed some algorithms inappropriately.
* Built-in policies now include CA key requirements (if certificates are in use).
* Lookup function (--lookup) now performs case-insensitive lookups of similar algorithms.
* Migrated pre-made policies from external files to internal database.
* Split single 3,500 line script into many files (by class).
* Added setup.py support
* Added 1 new cipher: des-cbcAATTssh.com.- Install manpage- Use py-
* rpm macros
* Mon Sep 28 2020 Martin Hauke - Update to version 2.3.0 The highlight of this release is support for policy scanning (this allows an admin to test a server against a hardened/standard configuration).
* Added new policy auditing functionality to test adherence to a hardening guide/standard configuration (see -L/--list-policies, -M/--make-policy and -P/--policy).
* Created new man page (see ssh-audit.1 file).
* 1024-bit moduli upgraded from warnings to failures.
* Many Python 2 code clean-ups, testing framework improvements, pylint & flake8 fixes, and mypy type comments.
* Added feature to look up algorithms in internal database (see --lookup)
* Suppress recommendation of token host key types.
* Added check for use-after-free vulnerability in PuTTY v0.73.
* Added 11 new host key types: ssh-rsa1, ssh-dss-sha256AATTssh.com, ssh-gost2001, ssh-gost2012-256, ssh-gost2012-512, spki-sign-rsa, ssh-ed448, x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521, x509v3-rsa2048-sha256.
* Added 8 new key exchanges: diffie-hellman-group1-sha256, kexAlgoCurve25519SHA256, Curve25519SHA256, gss-group14-sha256-, gss-group15-sha512-, gss-group16-sha512-, gss-nistp256-sha256-, gss-curve25519-sha256-.
* Added 5 new ciphers: blowfish, AEAD_AES_128_GCM, AEAD_AES_256_GCM, crypticore128AATTssh.com, seed-cbcAATTssh.com.
* Added 3 new MACs: chacha20-poly1305AATTopenssh.com, hmac-sha3-224, crypticore-macAATTssh.com.- Update ssh-audit.keyring
* Wed Mar 11 2020 Martin Hauke - Update to version 2.2.0
* Marked host key type ssh-rsa as weak due to practical SHA-1 collisions.
* Added 10 new host key types: ecdsa-sha2-1.3.132.0.10, x509v3-sign-dss, x509v3-sign-rsa, x509v3-sign-rsa-sha256AATTssh.com, x509v3-ssh-dss, x509v3-ssh-rsa, sk-ecdsa-sha2-nistp256-cert-v01AATTopenssh.com, sk-ecdsa-sha2-nistp256AATTopenssh.com, sk-ssh-ed25519-cert-v01AATTopenssh.com, and sk-ssh-ed25519AATTopenssh.com.
* Added 18 new key exchanges: diffie-hellman-group14-sha256AATTssh.com, diffie-hellman-group15-sha256AATTssh.com, diffie-hellman-group15-sha384AATTssh.com, diffie-hellman-group16-sha384AATTssh.com, diffie-hellman-group16-sha512AATTssh.com, diffie-hellman-group18-sha512AATTssh.com, ecdh-sha2-curve25519, ecdh-sha2-nistb233, ecdh-sha2-nistb409, ecdh-sha2-nistk163, ecdh-sha2-nistk233, ecdh-sha2-nistk283, ecdh-sha2-nistk409, ecdh-sha2-nistp192, ecdh-sha2-nistp224, ecdh-sha2-nistt571, gss-gex-sha1-, and gss-group1-sha1-.
* Added 9 new ciphers: camellia128-cbc, camellia128-ctr, camellia192-cbc, camellia192-ctr, camellia256-cbc, camellia256-ctr, aes128-gcm, aes256-gcm, and chacha20-poly1305.
* Added 2 new MACs: aes128-gcm and aes256-gcm.
* Tue Feb 04 2020 Martin Hauke - Rename keyring to %name.keyring
* Mon Feb 03 2020 Martin Hauke
* Remove _service file; use download URL for all files
* Run spec-cleaner
* Don\'t package ssh-audit with the .py extension
* Run testsuite
* Sun Dec 29 2019 Lars Vogdt - update to 2.1.1: This maintenance release focuses on improving support for client testing. The full changelog is: + Added 2 new host key types: rsa-sha2-256-cert-v01AATTopenssh.com, rsa-sha2-512-cert-v01AATTopenssh.com. + Added 2 new ciphers: des, 3des. + Added 3 new PuTTY vulnerabilities. + During client testing, client IP address is now listed in output.- added _service file- add signatures for source verification
* Fri Nov 15 2019 Lars Vogdt - update to 2.1.0: The highlights of this release include client-testing functionality to audit the protocols accepted by client software, a JSON output format, support for new algorithms, and bugfixes. Below is the full changelog: + Added client software auditing functionality (see -c / --client-audit option). + Added JSON output option (see -j / --json option; credit Andreas Jaggi). + Fixed crash while scanning Solaris Sun_SSH.
* Wed Sep 25 2019 larsAATTlinux-schulserver.de - 2.0.0- initial version 2.0.0
  
ICM