Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 26 Mar 2014 14:24:04 +0100
From: Thijs Kinkhorst <>
Subject: CVE request: openssh client does not check SSHFP if server offers certificate


A vulnerability in OpenSSH's ssh client has been reported in Debian's BTS:

If the ssh server offers a HostCertificate that the ssh client doesn't accept, 
then the client doesn't then check the DNS for SSHFP records. This is a 
security problem because it means that a malicious server can disable SSHFP-
checking by presenting a certificate. Note that users are still presented the 
well-known "host verification prompt".

Given the prompt will and the still rather peripheral reliance on SSHFP, we 
consider this an issue of low severity.

Please assign a CVE name for this issue.


Thijs Kinkhorst
Debian Security Team

Download attachment "signature.asc " of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.