Hello, I am working to backport the fix for CVE-2023-48795 to libssh 0.8.7, as part of Debian's Long Term Support effort, funded by Freexian SARL. (I will later be seeking to backport the fix to 0.7.3 and 0.6.3 too, as part of Freexian's Extended Long Term Support effort.)
I have two queries about this, if I may. (1) These older libssh do not include the rekeying as implemented in commit 58cae236. Is that rekeying necessary for the strict key exchange to be effective? (2) Does anyone have a utility that tests the strict key exchange? Or, does the regular test suite already exercise the relevant code? I'm asking because the vulnerability scanner on terrapin-attack.com only seems to check for support of strict key exchange, not whether it actually works. Thanks. -- Sean Whitton
signature.asc
Description: PGP signature