thought's on hostgator's "patch"

Damien Miller djm at
Tue Jul 14 12:17:25 EST 2009

On Mon, 13 Jul 2009, ahlist wrote:

> I realize the recent ssh exploit rumors appear to be false.
> However I've not saw any comments on hostgator's "patch"

The CBC cipher protocol weakness reported by CPNI is not an 0day attack
against sshd, so this configuration change (it is not really a patch)
will not offer any real protection against 0day attacks (real or

We are not aware of any other vulnerabilities relating to CBC mode
ciphers. Cipher vulnerabilities usually lead to information disclosure
rather than remote code execution anyway.

> They continue to talk as if they have inside information.

I haven't been in contact with anyone identifying themselves as being
associated with Hostgator, and I don't have any inside information to
give anyway.


More information about the openssh-unix-dev mailing list