Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.2
Affects Version/s: rhel-10.0
Component/s: openssh
Labels:
- Committed

Fixed in Build:
openssh-9.9p1-14.el10
Regression:
No
Severity:
Low
Epic Link:
CRYPTO-17262
sprint_count:
2

AssignedTeam:
rhel-security-crypto-diamonds
Sub-System Group:

ssg_security

Internal Target Milestone:
10
Story Points:
1.5
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
Crypto25August, Crypto25September

Acceptance Criteria:

Hide

AC1 manually check that patch fixing this issue is correctly applied and present in compose
AC2 manually checked the compatibility with previous version: client with patched openssh version succesfully connect to the server running with previous openssh version

AC3 GSS Kex using groups KEX_GSS_GRP14_SHA256, KEX_GSS_GRP16_SHA512, KEX_GSS_NISTP256_SHA256 are permitted in FIPS mode

Show
AC1 manually check that patch fixing this issue is correctly applied and present in compose AC2 manually checked the compatibility with previous version: client with patched openssh version succesfully connect to the server running with previous openssh version AC3 GSS Kex using groups KEX_GSS_GRP14_SHA256, KEX_GSS_GRP16_SHA512, KEX_GSS_NISTP256_SHA256 are permitted in FIPS mode
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/154134
Gating Tests:

Not Needed
Test Coverage:

New Test Coverage

Release Note Type:
Enhancement
Release Note Text:
GSS KEX is currently allowed in FIPS mode (DH group 14/16, ECDH)
Release Note Status:
Proposed
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

In FIPS mode we since 2014 forbid GSS key exchange on the code level. I see customer's request to relax this requirement and move it to crypto policies. We should consider it

relates to

RHEL-99890 crypto-policies not properly handling GSSAPIKexAlgorithms in FIPS policy

Closed

links to

RHBA-2025:154134 openssh update

Assignee:: Dmitry Belyavskiy

Reporter:: Dmitry Belyavskiy

Developer:: Dmitry Belyavskiy

QA Contact:: Miluse Bezo Konecna

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2025/05/13 5:28 PM

Updated:: 2025/09/25 12:35 PM

Target end:: 2025/11/03

Next Planned Release Date:: 2026/05/12

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide