===========================================================
== Subject:     Missing packet filter for DH-GEX key exchange method
==
== Versions:    libssh <= 0.11.1, <= 0.10.6, 
==
== Summary:     The libssh did not implement packet filtering for DH-GEX,
==              which could cause accepting unexpected packets during key
==              exchange, potentially violating strict key exchange requirements.
==
===========================================================

===========
Description
===========

As part of mitigation of the CVE-2018-10933 we implemented strict packet
filter that rejects unexpected packets during different exchange states.
After implementing the Diffie-Hellman Group Exchange (RFC4419), the packet
filter for the new message types was never implemented.

This caused some of the messages could be accepted multiple times during
initial key exchange, violating the strict-kex requirements and possibly
exposing libssh to variant of Terrapin attack.

==================
Patch Availability
==================

Patches addressing the issues have been posted to:
https://www.libssh.org/security/
Additionally, libssh $VERSIONS have been issued
as security releases to correct the defect.  SSH administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==========
Workaround
==========

Disabling `diffie-hellman-group-exchange-sha1` and 
`diffie-hellman-group-exchange-sha256` key exchange methods through
configuration file or options API.

=======
Credits
=======

Originally reported by Fabian Bäumer, Marcel Maehren, Marcus Brinkmann, and
Jörg Schwenk from Ruhr University Bochum.
Patches provided by Jakub Jelen of the libssh team.

==========================================================
== The libssh team
==========================================================