RHEL9+, RSASHA1 and CVE-2025-8677
Petr Menšík
pemensik at redhat.com
Fri Nov 7 19:12:44 UTC 2025
Oh, I thought that auto-detection of SHA1 readiness does the same thing
as this explicit configuration file disabling. It does not indeed. Okay,
then build-time disabled or not yet supported algorithms (like PQC) are
needed. I maybe get why it slipped through untested then.
Only now I get what was meant by the comment to test different variant
of this problem, with different algorithms used.
Sorry for misleading information, I did not test it on different system.
I though it behaves the same in the validator.
I do not even have my Debian sid container on my new laptop (yet!).
On 07/11/2025 13:54, Ondřej Surý wrote:
> Debian never had that problem, as RSASHA1 is not disabled there in the crypto library, the setting
>
> disable-algorithms . {
> RSASHA1;
> };
>
> is a different.
>
> You would need something like RSAMD5 + <supported algorithm> to reproduce the issue.
>
> Ondrej
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
>
> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>
>> On 7. 11. 2025, at 7:46, Bjørn Mork via bind-users <bind-users at lists.isc.org> wrote:
>>
>> But I'm unable to reproduce the original issue with the current 9.20.15
>> based package in Debian. Probably doing something wrong...
--
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
More information about the bind-users
mailing list