CVE-2023-48795: Backporting strict key exchange to older libssh

To: libssh@libssh.org, Aris Adamantiadis <aris@0xbadc0de.be>, Jakub Jelen <jjelen@redhat.com>
Cc: team@security.debian.org, libssh@packages.debian.org, debian-lts@lists.debian.org
Subject: CVE-2023-48795: Backporting strict key exchange to older libssh
From: Sean Whitton <spwhitton@spwhitton.name>
Date: Sat, 30 Dec 2023 19:33:00 +0000
Message-id: <[🔎] 871qb3zdsj.fsf@zephyr.silentflame.com>

Hello,

I am working to backport the fix for CVE-2023-48795 to libssh 0.8.7,
as part of Debian's Long Term Support effort, funded by Freexian SARL.
(I will later be seeking to backport the fix to 0.7.3 and 0.6.3 too, as
part of Freexian's Extended Long Term Support effort.)

I have two queries about this, if I may.

(1) These older libssh do not include the rekeying as implemented in
    commit 58cae236.  Is that rekeying necessary for the strict key
    exchange to be effective?

(2) Does anyone have a utility that tests the strict key exchange?
    Or, does the regular test suite already exercise the relevant code?
    I'm asking because the vulnerability scanner on terrapin-attack.com
    only seems to check for support of strict key exchange, not whether
    it actually works.

Thanks.

-- 
Sean Whitton

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Re: libssh CVE-2023-6004, CVE-2023-6918, CVE-2023-48795
Next by Date: Debian LTS and ELTS -- December 2023
Previous by thread: Re: Debian 10 upgrade of amd64 firefox-esr fails
Next by thread: Debian LTS and ELTS -- December 2023
Index(es):
- Date
- Thread