Re: Backport for OpenSSH CBC Mode Information Disclosure Vulnerability
Sam Kuper <sam.kuper@uclmail.net> writes:
> 2009/6/30 Nico Golde
> <debian-security+ml@ngolde.de<debian-security%2Bml@ngolde.de>
>> http://security-tracker.debian.net/tracker/CVE-2008-5161
> Ouch! I agree with the note.
My understanding is that you then terminate the connection you're
attacking as part of the attempt to recover the cleartext unless you
happen to succeed. I think it's going to be very hard to launch this
attack effectively in a real-world situation. That's also upstream's
position:
http://www.openssh.com/txt/cbc.adv
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: