Date: Fri, 21 Nov 2008 22:10:32 +1100 (EST) From: Damien Miller <djm@mindrot.org> To: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Cc: freebsd-security@freebsd.org, openssh@openssh.com Subject: Re: Plaintext recovery attack in SSH, discovered by CPNI? Message-ID: <alpine.BSO.1.10.0811212210240.16202@fuyu.mindrot.org> In-Reply-To: <Nr4bFBjnW8SC2cBhy37/xqxP6SM@h3Iv%2BXGzMlVsqQhKLTPQUFtjrxk> References: <6p2tlso0g3Xi5suHfErE3rcPs54@Mr6N54GlMnGhD%2BRQ1Yhx%2B24IxLk> <Nr4bFBjnW8SC2cBhy37/xqxP6SM@h3Iv%2BXGzMlVsqQhKLTPQUFtjrxk>
next in thread | previous in thread | raw e-mail | index | archive | help
see http://www.openssh.com/txt/cbc.adv On Fri, 21 Nov 2008, Eygene Ryabinkin wrote: > Me again. > > Wed, Nov 19, 2008 at 04:20:58PM +0300, Eygene Ryabinkin wrote: > > Just came across the following list in the oss-security list: > > http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt > > For you interest, CVE was created and it has some interesting > links inside (SANS one explains some general trends): > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5161 > > It seems that some vendors are moving to the CTR encryption mode as the > default one. Does anyone has something to say about this? As I > understand, the advisory from CPNI is public, so there is no point to > refraining from discuissing this in the open lists. OpenSSH people, I > understand that this is not just "two day business", but can you at > least drop a mail that you're investigating this? > > Thanks a lot. > -- > Eygene > _ ___ _.--. # > \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard > / ' ` , __.--' # to read the on-line manual > )/' _/ \ `-_, / # while single-stepping the kernel. > `-'" `"\_ ,_.-;_.-\_ ', fsc/as # > _.-'_./ {_.' ; / # -- FreeBSD Developers handbook > {_.-``-' {_/ # >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSO.1.10.0811212210240.16202>