English Korean
Unless an application explicitly requests either the DBM or SQL format, the NSS library will automatically migrate the application's NSS database from the old to the new format. The old database files will not be updated further. Most users should not experience differences in operation. Applications that perform many NSS read/write operations may experience a minor performance decrease. Use the following command to trigger an explicit migration:
Users who store their system home or application data directory on a network filesystem are advised to set the `NSS_SDB_USE_CACHE=yes` environment variable prior to starting applications that use NSS. Without setting this environment variable, users of network filesystems may experience a major slowdown with some applications, such as Firefox. The environment variable enables the use of a caching strategy in NSS that works around the slowness of network filesystems. Because this caching strategy causes a performance decrease on fast filesystems.
Fedora 28 https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers[removes support] for `tcp_wrappers` (aka `/etc/hosts.deny` access files) by default from all the network daemons and tools. The preferred replacements are software firewalld, nftables rules or software specific access rules for more complex filtering. If your system security depends on `tcp_wrappers` rules, convert them to firewall rules, or set up `tcpd` to do the same job for you.
With this update, the OpenLDAP distribution in Fedora changed from using the *NSS* (or *MozNSS*) library to the *OpenSSL* library for providing cryptographic functions. The switch promises better support from OpenLDAP upstream, which had ceased maintaining the NSS support layer.
Fedora has https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers[deprecated the use of TCP wrappers]. The OpenLDAP project also https://www.openldap.org/doc/admin24/security.html#TCP%20Wrappers[discourages their use] and recommends that an IP firewall is used instead. With this update, OpenLDAP will not be configured with `--enable-wrappers` and so any TCP wrappers configuration will have no effect on OpenLDAP. Other means should be used to protect the OpenLDAP server.
Fedora 28 replaces authconfig with authselect as the default tool for generating PAM configuration files and nsswitch.conf. On new installations, authselect, together with an authconfig compatibility tool, will be installed by default instead of authconfig. On upgraded installations, authconfig will be replaced with authselect and the compatibility tool but the configuration generated by authconfig will be left intact. The authconfig compatibility tool will be removed from Fedora in a future release. The https://github.com/pbrezina/authselect/tree/master/src/man/authselect-migration.7.txt.in.in[authselect-migration(7)] man page explains how to migrate from authconfig to authselect.
Security 보안
Updated cryptography settings 최신화 된 암호화 설정
With this update, the default Fedora policy regarding cryptographic components has been updated to disallow the use of algorithms that are no longer considered secure. Specifically, the changes involve: 이 최신화를 통해, 암호화 구성 요소에 대한 기본 페도라 정책은 더 이상 안전하지 않은 알고리즘의 사용을 허용하지 않도록 최신화되었습니다. 특별히, 변경 사항은 다음을 포함합니다:
Require RSA of 2048 bits or more 2048 비트 또는 그 이상의 RSA가 필요합니다
In Fedora 28, the default file format used by the *NSS* library is changed to SQL. 페도라 28에서, *NSS* 라이브러리에 의해 사용되는 기본 파일 형식은 SQL로 변경됩니다.
Replace authconfig with authselect authconfig를 authselect로 교체합니다
certutil -d sql:</path/to/database> -N -f </path/to/database/password/file> \
-@ </path/to/database/password/file>
certutil -d sql:</path/to/database> -N -f </path/to/database/password/file> \
-@ </path/to/database/password/file>
Disable DSA DSA 비활성화
Libcurl switches from libssh2 to libssh Libcurl은 libssh2에서 libssh로 전환됩니다
With this update, the *libcurl* library switches from using *libssh2* to implement the SSH layer of SCP and SFTP protocols to *libssh*. The reason for the change is that the *libssh2* library uses outdated cryptographic algorithms and lacks important features, such as GSS-API authentication. The newly used *libssh* library is more secure, feature-complete, and with more active upstream community. 이와 같은 최신화로, *libcurl* 라이브러리는 *libssh2*를 사용하여 SCP 및 SFTP 통신규약의 SSH 계층을 *libssh*로 구현하도록 전환됩니다. 변경 원인은 *libssh2* 라이브러리가 오래된 암호화 알고리즘을 사용하고 GSS-API 인증과 같은 중요한 기능이 부족하기 때문입니다. 새롭게 사용된 *libssh* 라이브러리는 보다 안전하고, 기능이 완벽하며, 그리고 보다 활발한 업스트림 커뮤니티가 있습니다.
Additional technical details can be found in the Fedora Wiki: link:https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql[]. 추가적인 기술 상세화는 페도라 위키에서 찾을 수 있습니다: link:https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql[Changes/NSSDefaultFileFormatSql].
NSS uses SQL as default file format NSS는 기본 파일 형식으로 SQL을 사용합니다
The Network Security Services (NSS) library, which is used by Mozilla Firefox, Gnome Evolution, Mozilla Thunderbird, and other applications, changed its default database format for storing keys, certificates, and trust information. The new database format is based on SQlite and uses the filenames `cert9.db`, `key4.db`, and `pkcs11.txt`. The previous database format used Berkeyley DB (DBM) and filenames `cert8.db`, `key3.db`, and `secmod.db`. 네트워크 보안 서비스(NSS) 라이브러리, 이는 모질라 파이어폭스, 그놈 에볼류션, 모질라 썬더버드, 그리고 다른 응용프로그램에서 사용되며, 키, 인증서와 신뢰 정보를 저장하기 위한 기본 데이터베이스 형식을 변경했습니다. 신규 데이터베이스 형식은 SQlite에서 기반 되었고 파일이름 `cert9.db`, `key4.db`와 `pkcs11.txt`를 사용합니다. 이전 데이터베이스 형식은 버클리 DB(DBM)와 파일 이름 `cert8.db`, `key3.db`, `secmod.db`를 사용했습니다.
OpenLDAP defaults to use only Shared System Certificates OpenLDAP는 공유된 시스템 인증서만 사용하도록 설정됩니다