What documents have you been reading?
Take a look at the actual vulnerability advisory.
http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
Or the original posting by OpenSSH
http://www.securityfocus.com/archive/1/498558/30/0/threaded
Where is there any condition related to National
On Mon, Nov 24, 2008 at 11:39 PM, Damien Miller [EMAIL PROTECTED] wrote:
On Mon, 24 Nov 2008, Nick Boyce wrote:
Could someone please help the uncomprehending [i.e. me :-)] understand
why or whether this is anything to be worried about at all ?
Yes, the attack is very unlikely to work
On Mon, 24 Nov 2008, Nick Boyce wrote:
[ahem] ... Sorry to be dumb, but ...
On Fri, Nov 21, 2008 at 10:19 AM, Damien Miller [EMAIL PROTECTED] wrote:
Based on the description contained in the CPNI report and a slightly
more detailed description forwarded by CERT this issue appears to be
Nick Boyce [EMAIL PROTECTED] wrote:
[ahem] ... Sorry to be dumb, but ...
On Fri, Nov 21, 2008 at 10:19 AM, Damien Miller [EMAIL PROTECTED]
wrote:
Based on the description contained in the CPNI report and a slightly
more detailed description forwarded by CERT this issue appears to be
Maybe this was always clear, but along with that reassurance I guess
you would recommend we all take your stated remedial action :
[place] the following directive in sshd_config and ssh_config:
Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc
at the very next
Hey!
They put a condition because of National Security. Should that mean
that they use OpenSSH in National Security-sensitive applications
(interesting ;););))?
If so, should that mean that they implicitely recognize the very good
work done by the community?
If so, why not act politely
[ahem] ... Sorry to be dumb, but ...
On Fri, Nov 21, 2008 at 10:19 AM, Damien Miller [EMAIL PROTECTED] wrote:
Based on the description contained in the CPNI report and a slightly
more detailed description forwarded by CERT this issue appears to be
substantially similar to a known weakness in
OpenSSH Security Advisory: cbc.adv
Regarding the Plaintext Recovery Attack Against SSH reported as
CPNI-957037[1]:
The OpenSSH team has been made aware of an attack against the SSH
protocol version 2 by researchers at the University of London.
Unfortunately, due to the report lacking any