Re: Updates for SSH Tectia plaintext recovery vulnerability released

[der Mouse <mouse () rodents-montreal org>]

> It appears that a patch for SSH Tectia plaintext recovery
> vulnerability (reference:
> http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt ) has been
> released: [...]

Is there any public description of the vulnerability precise enough for
me as an ssh implementor to use to tell whether I'm vulnerable too?
The closest thing I've found is
http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH_v2.0.txt, which
says only that it "works by analysing the behaviour of the SSH
connection when handling certain types of errors" and that it depends
on CBC-mode crypto.  These are interesting hints, but definitely not
enough to actually work out whether my implementation is vulnerable.

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse () rodents-montreal org
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.