Plaintext recovery attack in SSH, discovered by CPNI?
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Thu Nov 20 21:50:50 PST 2008
Me again.
Wed, Nov 19, 2008 at 04:20:58PM +0300, Eygene Ryabinkin wrote:
> Just came across the following list in the oss-security list:
> http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
For you interest, CVE was created and it has some interesting
links inside (SANS one explains some general trends):
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5161
It seems that some vendors are moving to the CTR encryption mode as the
default one. Does anyone has something to say about this? As I
understand, the advisory from CPNI is public, so there is no point to
refraining from discuissing this in the open lists. OpenSSH people, I
understand that this is not just "two day business", but can you at
least drop a mail that you're investigating this?
Thanks a lot.
--
Eygene
_ ___ _.--. #
\`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
/ ' ` , __.--' # to read the on-line manual
)/' _/ \ `-_, / # while single-stepping the kernel.
`-'" `"\_ ,_.-;_.-\_ ', fsc/as #
_.-'_./ {_.' ; / # -- FreeBSD Developers handbook
{_.-``-' {_/ #
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20081121/ae50b59a/attachment.pgp
More information about the freebsd-security
mailing list