[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2023-48795: Backporting strict key exchange to older libssh


I am working to backport the fix for CVE-2023-48795 to libssh 0.8.7,
as part of Debian's Long Term Support effort, funded by Freexian SARL.
(I will later be seeking to backport the fix to 0.7.3 and 0.6.3 too, as
part of Freexian's Extended Long Term Support effort.)

I have two queries about this, if I may.

(1) These older libssh do not include the rekeying as implemented in
    commit 58cae236.  Is that rekeying necessary for the strict key
    exchange to be effective?

(2) Does anyone have a utility that tests the strict key exchange?
    Or, does the regular test suite already exercise the relevant code?
    I'm asking because the vulnerability scanner on terrapin-attack.com
    only seems to check for support of strict key exchange, not whether
    it actually works.


Sean Whitton

Attachment: signature.asc
Description: PGP signature

Reply to: