From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id YEmUEl3Igma7dQEAe85BDQ:P1 (envelope-from ) for ; Mon, 01 Jul 2024 15:16:45 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id YEmUEl3Igma7dQEAe85BDQ (envelope-from ) for ; Mon, 01 Jul 2024 17:16:45 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=YPQvlmIe; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1719847005; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=T8JoiHTqYe0WfkBudeCygcEd4tdz/rQHpAwAPNOOwT0=; b=a9PLvhhzUWs4viuL7ME3DsVVh32hlxzODyJz1MmYaD3GrzgwZ9DkzC6CKY+1T061j1fjFY kJ9e2Le6NJakVsvj5LxXGEKCBQt+LRtsas0ixjR17mgTY8/Xqq265DmbnVF96ArHXhGM2I iSKp1JsmNpDuZUK9qUyRRLrp3m6BQ7xqa4E6tcoIsrTdB3sPTw6Wsah/GgCDOLm4KvypSb rZt5pr9cMNCE3JVsrTtOcYVTBGji03XMzzKWt1Pt7iA3e+XtgwvqQXWKdrOVsZ9HfWY2zk oG8gyYKEw3rfJQOsqnXhCMx4Bc9Ibrq4e+PBsYEvjPey6ncuNthNc5nfVryVXg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1719847005; a=rsa-sha256; cv=none; b=OYYqWvzx0m/AHhQojFGIuhWYpTJvHmAvRl0rFJpiyqQ62/jpZbv9nUREuT8+qZSSjpklYo SPeGdGBlnqiSA+rEgmwBQy0K2GSb8XuVkzGOI80cW81PpynX5tXmKn3s1hsgBt3FabeUO2 aJfBdJphPz4gdPnfGhLMPeAane8dJ8PArYGJqLBlLWoPcVxcQzy3HDOhHwSubeO5hH4NwU C2DFi41fsKDENtD+OV+S9aMpa/zrViuAWTe8h2mo+X1bDdLD2OOXs009apUL9elXF1NElh nOe4vOtWMvHVNahHb7+LWBE4bAVEOi8FpO/rd67GMwxoPzKEyVr4NPc7h4/3pw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=YPQvlmIe; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id BC6C911A9B for ; Mon, 1 Jul 2024 17:16:44 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sOIki-00004w-LL; Mon, 01 Jul 2024 11:15:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sOIkW-0008Gu-Jb; Mon, 01 Jul 2024 11:15:25 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1sOIkU-0008B5-Hi; Mon, 01 Jul 2024 11:15:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=Xgfy2OwWJ/Ook2x ytD3sFuDD5qke4JcnSHgoUMCbbbw=; h=date:references:in-reply-to:subject: to:from; d=lease-up.com; b=YPQvlmIeM0BEnpr6SfRdpEQOY+ZfeFmJ94HPUSuy5lU ISjJtHHLFhstpnZ50tbszqySagBhyadnKpcqAYUaC9TckHJixAEzL9xleQN9UKgZOpiEoa GKgaaSqsuH7vV9Q8ZCkIcQOaG5hX/z73ZoxpH4RLnBki/aqGH8+Ww34ZSw= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 1804eedb (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Mon, 1 Jul 2024 15:15:19 +0000 (UTC) To: jbranso@dismail.de, guix-security@gnu.org, guix-devel@gnu.org Subject: Re: Have ya'll seen the news about the openssh vulnerablity? In-Reply-To: <95b35e90f9a6cf47ea717a91a983385c795ce031@dismail.de> References: <95b35e90f9a6cf47ea717a91a983385c795ce031@dismail.de> Date: Mon, 01 Jul 2024 08:15:17 -0700 Message-ID: <87jzi5dtyy.fsf@lease-up.com> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=208.82.101.137; envelope-from=felix.lechner@lease-up.com; helo=sail-ipv4.us-core.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Felix Lechner From: Felix Lechner via "Development of GNU Guix and the GNU System distribution." Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Queue-Id: BC6C911A9B X-Migadu-Scanner: mx12.migadu.com X-Migadu-Spam-Score: -5.83 X-Spam-Score: -5.83 X-TUID: BupUaVKKeXFK Hi Joshua, On Mon, Jul 01 2024, jbranso@dismail.de wrote: > Is guix affected? Yes, our version is affected. While the vulnerability is "critical," however, the note also states that the exploit has not yet been demostrated on 64-bit systems, which are the most common today. Also, this release disables DSA keys "at compile time." Not sure how that's different from before but it may be helpful to inlude a NEWS entry. Kind regards Felix