oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH

From: Damien Miller <djm () mindrot org>
Date: Mon, 29 Sep 2025 12:44:33 +1000 (AEST)
On Sun, 28 Sep 2025, Adiletta, Andrew wrote:


Theo,

Even after two years we stand behind our paper and the contributions
as outlined. There is nothing more natural for any vulnerability
researcher to evaluate the most widely used products. If we had doubts
about the claim or any of the POCs, we would have simply not included
them in the paper. 


Again, the POCs were not against OpenSSH but your modified version and
you did not demonstrate any of the techniques that you suppose could
have been used to make the attack viable against the unmodified product.
Your abstract therefore clearly overstates the extent of your work.

The fact that someone filed this CVE based on your paper demonstrates
that it is misleading.

-d
Previous By Date Next
Previous By Thread Next

Current thread: