[Bug 2079834] Re: libssh2-1 lacks support for rsa-sha2-{512,256}

Fri Oct 11 15:19:46 UTC 2024

The SRU process is dedicated work that is specific to non-security
updates to a package in a released Ubuntu version: no such thing has
been done for libssh2 in 22.04. It has to be done for every change
anyway as the goal is to avoid behavior differences from the
corresponding changes.

But I was wrong on the relevant process: backports is the appropriate
one because this isn't a new micro version and there are many changes
between 2.10.0 and 2.11.0. Please read
https://help.ubuntu.com/community/UbuntuBackports and make sure that it
fits your own processes.

Another alternative that is faster is a PPA. I would classify it as
pretty close to the backports in practice but without the paperwork.

PS: Backports and PPAs are not covered by security update policies but
libssh2 in Ubuntu 22.04 is in "universe" and therefore community-
maintained with the corresponding update policies (only Ubuntu Pro would
offer a different policy). (in 24.04, it has been promoted to "main"
however, but that's not retro-active)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libssh2 in Ubuntu.
https://bugs.launchpad.net/bugs/2079834

Title:
  libssh2-1 lacks support for rsa-sha2-{512,256}

Status in libssh2 package in Ubuntu:
  Confirmed

Bug description:
  OS: Ubuntu 22.04LTS
  Package: libssh2-1/jammy,now 1.10.0-3

  SSH-RSA is/has been deprecated due to known vulnerabilities.

  I am writing a Perl program to scan my company's public facing routers
  to determine which devices support ssh-rsa and support the newer rsa-
  sha2-{512,256}. However, libssh2-1, which is used by the Perl Net:SSH2
  CPAN module, does not support rsa-sha2-{512,256}. There is a new
  version of libssh2 version 1.11 which came out in 2023 that does
  support rsa-sha2-{512,256}.

  I am running my scripts on a shared bastion host running Ubuntu
  22.04LTS and is not easily nor readily upgradable at this time.

  Due to the potential security risks involved with ssh-rsa is it
  possible to incorporate libssh2 version 1.11 into Ubuntu 22.04LTS?
  Based on my testing of libssh2-1t64 on Ubuntu 24.04 I do not believe
  this would be a breaking change.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: libssh2-1 1.10.0-3
  ProcVersionSignature: Ubuntu 5.15.0-119.129-generic 5.15.160
  Uname: Linux 5.15.0-119-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82.6
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: MATE
  Date: Fri Sep  6 09:22:40 2024
  InstallationDate: Installed on 2019-05-13 (1943 days ago)
  InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: libssh2
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libssh2/+bug/2079834/+subscriptions