Damien Miller <[email protected]> wrote: > On Wed, 24 Sep 2025, Adiletta, Andrew wrote: > > > Hi Alexander and Team, > > > > Thank your for the interest in our paper, and we appreciate all the > > feedback. We wanted to address two points - the OpenSSH CVE, and the > > comments from the OpenSSH community about the practicality of the attack. > > > > On CVE-2023-51767 (OpenSSH), we did not submit this CVE. Our team > > coordinates with vendors / software mantainers before submitting CVEs to > > make sure there is agreement. The CVE description does seem > > mischaracterized, as this is not a zero-click type vulnability as the CVE > > suggests, and we would not oppose either a revision or other action. We did > > work with Todd Miller on a SUDO CVE (CVE-2023-42465), of which we worked > > with him to release a patch. > > > > However, on the practicality, I do believe that we did not mischaracterize > > the attack in the paper, and as Alexander concisely mentioned, we are really > > trying to emphasize the issues with simple 0/1 flag logic that leads down to > > sensitive execution flows. > > Sure, but my criticism at the time was that your paper claimed in > the abstract to have successfully attacked OpenSSH to bypass > authentication but what was actually attacked was a modified version > of sshd run in a highly unrealistic and synchronised setting. > > IMO this context matters and doesn't detract from your findings.
Andrew, I think you should answer Damien's comment. I'm a bit more cynical, and think this is very close to open source community engagement malpractice -- where you picked projects specifically to increase readership of your paper, and went through the effort to construct synthetic justification, and I think you should consider issuing an official apology and/or official retraction of those statements about OpenSSH being vulnerable. There you have it, that's my opinion on this.
