oss-sec mailing list archives
Re: CVE Request: Qt Creator fails to verify SSH host key
From: Michael Samuel <mik () miknet net>
Date: Fri, 7 Nov 2014 10:24:26 +1100
On 7 November 2014 00:04, Jason A. Donenfeld <Jason () zx2c4 com> wrote:
I reported this bug to the development team, alongside another bug involving cipher-suite compatibility with OpenSSH 6.7 (no CTR modes). They marked the latter as priority 1, and fixed it within 24 hours. The former, however, has received a bit more of a hesitant reaction. The most recent vendor feedback seems to indicate they're not super interested in implementing this.
This is a serious bug (it certainly circumvents the security of OpenSSH), but I think the proposed fix doesn't fit. What might be a better solution is to store the public key for all devices, and accept if it matches any device you've talked to before. On discovering a new device, it shows the fingerprint and prompts for a name/description. Then you can revoke devices in some other part of the UI when you need to clean up. Regards, Michael
Current thread:
- CVE Request: Qt Creator fails to verify SSH host key Jason A. Donenfeld (Nov 06)
- Re: CVE Request: Qt Creator fails to verify SSH host key Michael Samuel (Nov 06)
- Re: CVE Request: Qt Creator fails to verify SSH host key Jason A. Donenfeld (Nov 06)
- Re: CVE Request: Qt Creator fails to verify SSH host key Jason A. Donenfeld (Nov 06)
- Re: CVE Request: Qt Creator fails to verify SSH host key Jason A. Donenfeld (Nov 06)
- Re: CVE Request: Qt Creator fails to verify SSH host key cve-assign (Nov 10)
- Re: CVE Request: Qt Creator fails to verify SSH host key Jason A. Donenfeld (Nov 10)
- Re: CVE Request: Qt Creator fails to verify SSH host key Michael Samuel (Nov 06)