checkupdates: workaround Terrapin vuln (!14370) · Merge requests · F-Droid / Data

Hans-Christoph Steiner requested to merge eighthave/fdroiddata:checkupdates-terrapin into master Jan 17, 2024

The fix for https://terrapin-attack.com/ requires that both the client and server implement the new strict key exchange. This scanner says that gitlab.com is still vulnerable. So this change stops the checkupdates SSH client from using the vulnerable algorithms.

$ ./Terrapin_Scanner_Linux_amd64 -connect gitlab.com
================================================================================
==================================== Report ====================================
================================================================================

Remote Banner: SSH-2.0-GitLab-SSHD

ChaCha20-Poly1305 support:   true
CBC-EtM support:             false

Strict key exchange support: false

The scanned peer is VULNERABLE to Terrapin.

Note: This tool is provided as is, with no warranty whatsoever. It determines
      the vulnerability of a peer by checking the supported algorithms and
      support for strict key exchange. It may falsely claim a peer to be
      vulnerable if the vendor supports countermeasures other than strict key
      exchange.

For more details visit our website available at https://terrapin-attack.com

I've tested this snippet on at.or.at, both for client and server. I'm going to roll it out elsewhere as well.

Edited Jan 17, 2024 by Hans-Christoph Steiner

checkupdates: workaround Terrapin vuln

Merge request reports