Comment 1 for bug 379329

Revision history for this message
Armindo Silva (deathon2legs) wrote : Re: Security flaw in openSSH prior to 5.2

It appears that there's no need to backport a new version of OpenSSH. As you can see here: http://www.openssh.com/txt/cbc.adv you only need to add this line:

Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc

to ssh_config and sshd_config and restart the daemon.
Also:
The severity is considered to be potentially HIGH due to the
32 bits of plaintext that can be recovered. However, the
likelihood of a successful attack is considered LOW.
(http://www.openssh.com/txt/cbc.adv)