[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request (ssh)
From:       Eygene Ryabinkin <rea-sec () codelabs ! ru>
Date:       2008-11-21 13:20:44
Message-ID: nDfOhR/OHmaw6oa8SfHbTznfpfA () ZKNbuquk3iGGXdmv9wrsaHV7Oxw
[Download RAW message or body]

Thu, Nov 20, 2008 at 09:12:42PM -0500, Steven M. Christey wrote:
> ======================================================
> Name: CVE-2008-5161
> 
> Error handling in the SSH protocol in (1) SSH Tectia Client and Server
> and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through
> 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server
> for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and
> earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K
> through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions,
> when using a block cipher algorithm in Cipher Block Chaining (CBC)
> mode, makes it easier for remote attackers to recover certain
> plaintext data from an arbitrary block of ciphertext in an SSH session
> via unknown vectors.

As was kindly answered to me in the freebsd-security list, OpenSSH's
response is here: http://openssh.org/txt/cbc.adv
-- 
Eygene
[prev in list] [next in list] [prev in thread] [next in thread]