openSSH and SLOTH vulnerability
Sandeep Umesh
sanumesh at in.ibm.com
Mon Jan 18 20:39:30 AEDT 2016
Hi
I got 2 questions related to info in the SLOTH article, can someone help
with these?
1. For SSH2 exposure for the (CVE-2015-7575) SLOTH (
http://www.mitls.org/pages/attacks/SLOTH), the chart in that URL
identifies a downgrade attack for SSH2 protocol, Key Exchange Integrity
SHA1. Is the remediation for that vulnerability to modify the config
files to remove the MD5 and SHA1 as MAC's (Message Authentication Codes) ?
2. Is there any exposure related to using the ssh-keygen for the initial
creation of the public/private key pairs or the exposure of the related
fingerprint used (https://en.wikipedia.org/wiki/Public_key_fingerprint) ?
Thanks
Regards
Sandeep
More information about the openssh-unix-dev
mailing list