www.libssh2.org | Daily snapshots | Mailing list archive | Docs | Examples | github

Archive Index This month's Index

Subject: Re: [SECURITY ADVISORY] Truncated Difffie-Hellman secret length

Re: [SECURITY ADVISORY] Truncated Difffie-Hellman secret length

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 23 Feb 2016 20:40:57 +0100 (CET)

On Tue, 23 Feb 2016, Daniel Stenberg wrote:

> A patch for this problem is available at:
>
> https://www.libssh2.org/CVE-2016-0787.patch

Will Cosgrove pointed out to me that the patch is probably a bit too simple as
it missed fixing the diffie_hellman_sha1() function.

And 'yumkam' added this remark on github:
https://github.com/libssh2/libssh2/commit/ca5222ea819cc5ed797860070b4c6c1aeeb28420#commitcomment-16277362

... of which the second part I'm not really qualified to debate much, other
than it doesn't match what I've been told when we got this bug reported and
worked on a fix.

I'll welcome further thoughts and feedback on this!

-- 
  / daniel.haxx.se
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2016-02-23

the libssh2 team