> It appears that a patch for SSH Tectia plaintext recovery > vulnerability (reference: > http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt ) has been > released: [...]
Is there any public description of the vulnerability precise enough for me as an ssh implementor to use to tell whether I'm vulnerable too? The closest thing I've found is http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH_v2.0.txt, which says only that it "works by analysing the behaviour of the SSH connection when handling certain types of errors" and that it depends on CBC-mode crypto. These are interesting hints, but definitely not enough to actually work out whether my implementation is vulnerable. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
