Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Fri, 21 Nov 2008 16:20:44 +0300
From: Eygene Ryabinkin <rea-sec@...elabs.ru>
To: oss-security@...ts.openwall.com
Cc: coley@...re.org
Subject: Re: CVE Request (ssh)

Thu, Nov 20, 2008 at 09:12:42PM -0500, Steven M. Christey wrote:
> ======================================================
> Name: CVE-2008-5161
> 
> Error handling in the SSH protocol in (1) SSH Tectia Client and Server
> and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through
> 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server
> for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and
> earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K
> through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions,
> when using a block cipher algorithm in Cipher Block Chaining (CBC)
> mode, makes it easier for remote attackers to recover certain
> plaintext data from an arbitrary block of ciphertext in an SSH session
> via unknown vectors.

As was kindly answered to me in the freebsd-security list, OpenSSH's
response is here: http://openssh.org/txt/cbc.adv
-- 
Eygene

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux