X2Go Bug report logs - #472
Upgrade SSH key exchange and message authentication code from SHA1 to SHA2

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Aurélien Grosdidier <aurelien.grosdidier@gmail.com>

Date: Thu, 3 Apr 2014 14:35:02 UTC

Severity: important

Found in version 4.0.1.3-1

Full log

đŸ”— View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#472: Another Test
Reply-To: Michael DePaulo <mikedep333@gmail.com>, 472@bugs.x2go.org
Resent-From: Michael DePaulo <mikedep333@gmail.com>
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Tue, 14 Oct 2014 02:50:01 +0000
Resent-Message-ID: <handler.472.B472.14132548629296@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 472
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: 
Received: via spool by 472-submit@bugs.x2go.org id=B472.14132548629296
          (code B ref 472); Tue, 14 Oct 2014 02:50:01 +0000
Received: (at 472) by bugs.x2go.org; 14 Oct 2014 02:47:42 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
	T_DKIM_INVALID autolearn=ham version=3.3.2
Received: from mail-wg0-f47.google.com (mail-wg0-f47.google.com [74.125.82.47])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 5B30D3D5ED
	for <472@bugs.x2go.org>; Tue, 14 Oct 2014 04:47:41 +0200 (CEST)
Received: by mail-wg0-f47.google.com with SMTP id x13so9762631wgg.6
        for <472@bugs.x2go.org>; Mon, 13 Oct 2014 19:47:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=nNuiOodwi2GApZkhXxipZ/JCmKZGfawr5wrIE8BWZsA=;
        b=aIN837Jg9gN56dpp8V0YbuFRvzeUGL3EEgXGDUVJcQTWSTqFWuVrFW94wP9aoKKMsL
         5dTpwzXem9T+ycJ9AfErUfAswYN3j+gmpwIwqJjJi2QJa75hQzn/U9X8eeztMTzlEAoW
         tmhkTo7+wMCPHyDiV8xlTjs5lwunT4kh2t4ZtYHSQ4uJgJT5DItYVCdlG5/RduSVT8uk
         Kwr1VfPUMRvMiKC9mJHU6UbPut1Vd968PDW2ujFeoCnx87M04xvNF1+O5u64HD6QlmBy
         FJZQIeUAlrGyuTtJjUUgdU+EF/nHXgRF4iPVHyvZ1vcyV9Gt5CVLSt0m1+gmwgWzaeur
         LLOQ==
MIME-Version: 1.0
X-Received: by 10.180.21.230 with SMTP id y6mr2521548wie.78.1413254860996;
 Mon, 13 Oct 2014 19:47:40 -0700 (PDT)
Received: by 10.180.211.11 with HTTP; Mon, 13 Oct 2014 19:47:40 -0700 (PDT)
Date: Mon, 13 Oct 2014 22:47:40 -0400
Message-ID: <CAMKht8j=dR3J5Jg9LEq0N2p5Nov9tQv2ACBMJKPsPdRrec8nTw@mail.gmail.com>
From: Michael DePaulo <mikedep333@gmail.com>
To: 472@bugs.x2go.org
Content-Type: text/plain; charset=UTF-8

On Mon, Oct 13, 2014 at 7:22 PM, Michael DePaulo <mikedep333@gmail.com> wrote
>>[..]
>
> The bad news:
> I can confirm that X2Go Client for Windows 4.0.2.1+hotfix+build6 (and
> all prior versions/builds) ARE AFFECTED by this bug and ARE UNABLE to
> connect to a Debian Jessie server with openssh-server 6.7p1-2 (from
> sid) installed. Said version of X2go Client for Windows bundles and
> uses libssh 0.5.5.
>
> The good news:
> I can confirm that X2Go Client for Windows 4.0.3.0 nightly builds
> (mingw 4.8 tested) ARE NOT AFFECTED by this bug and ARE ABLE to
> connect to a Debian Jessie server with openssh-server 6.7p1-2 (from
> sid) installed. Said version of X2Go Client bundles and uses libssh
> 0.6.3.
>
> [...]
>
> -Mike#2

X2Go Client (binary package: x2goclient) 4.0.2.1-1 as it exists in
Debian Jessie right now IS NOT AFFECTED. It IS ABLE to connect the
aforementioned server. It is using Debian Jessie's libssh (binary
package: libssh-4) 0.6.3-3+b1.

Note that when you connect and perform the key exchange,
~/.ssh/known_hosts (Windows: %USERPROFILE%/ssh/known_hosts) will have
a line like the following added:
192.168.1.37 ecdsa-sha2-nistp256 <host-id>
Whereas for the old key exchange, a line like this would be added:
192.168.1.37 ssh-rsa <host-id>

-Mike#2

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Apr 19 04:07:58 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.