Subject: Re: [SECURITY ADVISORY] Truncated Difffie-Hellman secret length

Re: [SECURITY ADVISORY] Truncated Difffie-Hellman secret length

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 23 Feb 2016 20:40:57 +0100 (CET)

On Tue, 23 Feb 2016, Daniel Stenberg wrote:

> A patch for this problem is available at:
>
> https://www.libssh2.org/CVE-2016-0787.patch

Will Cosgrove pointed out to me that the patch is probably a bit too simple as
it missed fixing the diffie_hellman_sha1() function.

And 'yumkam' added this remark on github:
https://github.com/libssh2/libssh2/commit/ca5222ea819cc5ed797860070b4c6c1aeeb28420#commitcomment-16277362

... of which the second part I'm not really qualified to debate much, other
than it doesn't match what I've been told when we got this bug reported and
worked on a fix.

I'll welcome further thoughts and feedback on this!

-- 
  / daniel.haxx.se
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

Received on 2016-02-23

This message: [ Message body ]
Next message: Dan Fandrich: "Re: libssh2 hangs in curl testsuite"
Previous message: George Garner (online): "Re: [RELEASE] libssh2 1.7.0"
In reply to: Daniel Stenberg: "[SECURITY ADVISORY] Truncated Difffie-Hellman secret length"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]