Bug#1059393: ABACuS arXiv.2310.09977

2023-12-31 Thread Boud Roukema

hi Colin, all,

On Sat, 30 Dec 2023, Colin Watson wrote:


This is a proposal for redesigned memory controllers.  It isn't an
actionable mitigation at the level of OpenSSH.


You're right: the end of the paragraph "Key Mechanism" on page 2 and
Section 4.1 "ABACuS's Hardware Design" make that clear. It's a
(proposed) hardware solution.

Cheers
Boud



Bug#1059393: ABACuS arXiv.2310.09977

2023-12-30 Thread Colin Watson
On Tue, Dec 26, 2023 at 12:03:36PM +0100, Boud Roukema wrote:
> There's a proposed mitigation for CVE-2023-51767 with ABACuS:
> 
> https://arxiv.org/abs/2310.09977
> 
> https://github.com/CMU-SAFARI/ABACuS

This is a proposal for redesigned memory controllers.  It isn't an
actionable mitigation at the level of OpenSSH.

-- 
Colin Watson (he/him)  [cjwat...@debian.org]



Bug#1059393: ABACuS arXiv.2310.09977

2023-12-26 Thread Boud Roukema

hi openssh maintainers,

There's a proposed mitigation for CVE-2023-51767 with ABACuS:

https://arxiv.org/abs/2310.09977

https://github.com/CMU-SAFARI/ABACuS

Something on this should probably be added to the "Notes" at
https://security-tracker.debian.org/tracker/CVE-2023-51767 .

Disclaimer: I just saw the citation - I have no expertise in checking
the validity of the exploit or the mitigation.

Cheers
Boud

PS: Conspiracy theory (numerology): this bug number is 105000 +
101*93, while the ArXiv ID after YYMM is 101*97. Common to
both is 101*p where p is a prime and p < 100 . ;)