이 최신화를 통해, 암호화 구성 요소에 대한 기본 페도라 정책은 더 이상 안전하지 않은 알고리즘의 사용을 허용하지 않도록 최신화되었습니다. 특별히, 변경 사항은 다음을 포함합니다:
2048 비트 또는 그 이상의 RSA가 필요합니다
With this update, the libcurl library switches from using libssh2 to implement the SSH layer of SCP and SFTP protocols to libssh. The reason for the change is that the libssh2 library uses outdated cryptographic algorithms and lacks important features, such as GSS-API authentication. The newly used libssh library is more secure, feature-complete, and with more active upstream community.
페도라 28에서, NSS 라이브러리에 의해 사용되는 기본 파일 형식은 SQL로 변경됩니다.
The Network Security Services (NSS) library, which is used by Mozilla Firefox, Gnome Evolution, Mozilla Thunderbird, and other applications, changed its default database format for storing keys, certificates, and trust information. The new database format is based on SQlite and uses the filenames
pkcs11.txt. The previous database format used Berkeyley DB (DBM) and filenames
The primary benefit of the SQlite storage is support for concurrent access by multiple applications. When using the previous default file format based on DBM, accidental concurrent access could result in corrupted storage.
Unless an application explicitly requests either the DBM or SQL format, the NSS library will automatically migrate the application’s NSS database from the old to the new format. The old database files will not be updated further. Most users should not experience differences in operation. Applications that perform many NSS read/write operations may experience a minor performance decrease. Use the following command to trigger an explicit migration:
certutil -d sql:</path/to/database> -N -f </path/to/database/password/file> \ -@ </path/to/database/password/file>
Users who store their system home or application data directory on a network filesystem are advised to set the
NSS_SDB_USE_CACHE=yes environment variable prior to starting applications that use NSS. Without setting this environment variable, users of network filesystems may experience a major slowdown with some applications, such as Firefox. The environment variable enables the use of a caching strategy in NSS that works around the slowness of network filesystems. Because this caching strategy causes a performance decrease on fast filesystems.
추가적인 기술 상세화는 페도라 위키에서 찾을 수 있습니다: Changes/NSSDefaultFileFormatSql.
Fedora 28 removes support for
/etc/hosts.deny access files) by default from all the network daemons and tools. The preferred replacements are software firewalld, nftables rules or software specific access rules for more complex filtering. If your system security depends on
tcp_wrappers rules, convert them to firewall rules, or set up
tcpd to do the same job for you.
With this update, the OpenLDAP distribution in Fedora changed from using the NSS (or MozNSS) library to the OpenSSL library for providing cryptographic functions. The switch promises better support from OpenLDAP upstream, which had ceased maintaining the NSS support layer.
OpenLDAP 클라언트와 서버는 이제
/etc/openldap/certs 대신에 기본적으로 시스템-전반의 인증서 저장소를 사용합니다.
Fedora has deprecated the use of TCP wrappers. The OpenLDAP project also discourages their use and recommends that an IP firewall is used instead. With this update, OpenLDAP will not be configured with
--enable-wrappers and so any TCP wrappers configuration will have no effect on OpenLDAP. Other means should be used to protect the OpenLDAP server.
Fedora 28 replaces authconfig with authselect as the default tool for generating PAM configuration files and nsswitch.conf. On new installations, authselect, together with an authconfig compatibility tool, will be installed by default instead of authconfig. On upgraded installations, authconfig will be replaced with authselect and the compatibility tool but the configuration generated by authconfig will be left intact. The authconfig compatibility tool will be removed from Fedora in a future release. The authselect-migration(7) man page explains how to migrate from authconfig to authselect.