www.libssh2.org | Daily snapshots | Mailing list archive | Docs | Examples | github

Archive Index This month's Index

Subject: Re: [SECURITY ADVISORY] Truncated Difffie-Hellman secret length

Re: [SECURITY ADVISORY] Truncated Difffie-Hellman secret length

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 23 Feb 2016 20:40:57 +0100 (CET)

On Tue, 23 Feb 2016, Daniel Stenberg wrote:

> A patch for this problem is available at:
> https://www.libssh2.org/CVE-2016-0787.patch

Will Cosgrove pointed out to me that the patch is probably a bit too simple as
it missed fixing the diffie_hellman_sha1() function.

And 'yumkam' added this remark on github:

... of which the second part I'm not really qualified to debate much, other
than it doesn't match what I've been told when we got this bug reported and
worked on a fix.

I'll welcome further thoughts and feedback on this!

  / daniel.haxx.se
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2016-02-23

the libssh2 team