Announce: OpenSSH 7.5 released

Jakub Jelen jjelen at redhat.com
Wed Mar 22 02:27:20 AEDT 2017


On 03/20/2017 02:31 PM, Damien Miller wrote:
> OpenSSH 7.5 has just been released. It will be available from the
> mirrors listed at http://www.openssh.com/ shortly.
>
>
> Security
> --------
>
>  * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
>    that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
>    Note that the OpenSSH client disables CBC ciphers by default, sshd
>    offers them as lowest-preference options and will remove them by
>    default entriely in the next release. Reported by Jean Paul
>    Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
>    Royal Holloway, University of London.

Can we get some clarification on this CBC weakness from you or from the 
reporters? There is no update in the security page according to this 
security issue.

So far I understood that the CBC modes are disabled because we have 
better ciphers to choose from. Also I still have understanding that any 
of the attacks presented so far were not feasible. Did it change?

If I see right, the change related to this record is below, but the real 
effects are not clear even from the commit message:

https://github.com/openssh/openssh-portable/commit/0fb1a617

Thanks,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat


More information about the openssh-unix-dev mailing list