Plaintext recovery attack in SSH, discovered by CPNI?
Damien Miller
djm at mindrot.org
Fri Nov 21 03:28:11 PST 2008
see http://www.openssh.com/txt/cbc.adv
On Fri, 21 Nov 2008, Eygene Ryabinkin wrote:
> Me again.
>
> Wed, Nov 19, 2008 at 04:20:58PM +0300, Eygene Ryabinkin wrote:
> > Just came across the following list in the oss-security list:
> > http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
>
> For you interest, CVE was created and it has some interesting
> links inside (SANS one explains some general trends):
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5161
>
> It seems that some vendors are moving to the CTR encryption mode as the
> default one. Does anyone has something to say about this? As I
> understand, the advisory from CPNI is public, so there is no point to
> refraining from discuissing this in the open lists. OpenSSH people, I
> understand that this is not just "two day business", but can you at
> least drop a mail that you're investigating this?
>
> Thanks a lot.
> --
> Eygene
> _ ___ _.--. #
> \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
> / ' ` , __.--' # to read the on-line manual
> )/' _/ \ `-_, / # while single-stepping the kernel.
> `-'" `"\_ ,_.-;_.-\_ ', fsc/as #
> _.-'_./ {_.' ; / # -- FreeBSD Developers handbook
> {_.-``-' {_/ #
>
More information about the freebsd-security
mailing list