funsec mailing list archives
Re: Updates for SSH Tectia plaintext recovery vulnerability released
From: der Mouse <mouse () rodents-montreal org>
Date: Tue, 18 Nov 2008 11:02:59 -0500 (EST)
It appears that a patch for SSH Tectia plaintext recovery vulnerability (reference: http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt ) has been released: [...]
Is there any public description of the vulnerability precise enough for me as an ssh implementor to use to tell whether I'm vulnerable too? The closest thing I've found is http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH_v2.0.txt, which says only that it "works by analysing the behaviour of the SSH connection when handling certain types of errors" and that it depends on CBC-mode crypto. These are interesting hints, but definitely not enough to actually work out whether my implementation is vulnerable. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mouse () rodents-montreal org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Updates for SSH Tectia plaintext recovery vulnerability released Juha-Matti Laurio (Nov 18)
- Re: Updates for SSH Tectia plaintext recovery vulnerability released der Mouse (Nov 18)