Hi,
Fedora Final release criterion says:
The release must contain no known security bugs of 'important' or
higher impact according to the Red Hat severity classification scale
which cannot be satisfactorily resolved by a package update (e.g.
issues during installation).
I've discovered this bug from jjelen
https://bugzilla.redhat.com/show_bug.cgi?id=89216
The gist is that Fedora uses a (silently) modified sshd_config from
openssh upstream, which sets `PermitRootLogin yes` instead of the
upstream default of `prohibit-password` and this sounds like it would
be an important or higher impact security impact leaving it set to
yes.
Could someone reply here or in the bug with such an assessment?
Thanks!
--
Chris Murphy
Here
https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/
is a proposal to use a specific cipher list string for
SSL_CTX_set_cipher_list(): "PROFILE=SYSTEM".
Especially this citation: "if that call is present and provided a fixed
string which does not contain PSK or SRP, replace the string with
"PROFILE=SYSTEM", or remove the call"
We have to rely on PSK. What ist the reason behind the above advice?
Thanks, Frank