Skip to content

v3.1.0

Compare
Choose a tag to compare
@jtesta jtesta released this 20 Dec 18:37
· 100 commits to master since this release
v3.1.0

This release features tests for the Terrapin message prefix truncation vulnerability in the SSH protocol (CVE-2023-48795), along with other minor enhancements and fixes.

This version is also available as a PyPI package (pip3 install ssh-audit), Docker image (docker pull positronsecurity/ssh-audit), Snap package (snap install ssh-audit), or as a Windows executable (see below, though be aware that sometimes Windows Defender inappropriately detects it as malware!).

The full change log is:

  • Added test for the Terrapin message prefix truncation vulnerability (CVE-2023-48795).
  • Dropped support for Python 3.7 (EOL was reached in June 2023).
  • Added Python 3.12 support.
  • In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match the online hardening guides (note that 3072-bit moduli provide the equivalent of 128-bit symmetric security).
  • In Ubuntu 22.04 client policy, moved host key types [email protected] and ssh-ed25519 to the end of all certificate types.
  • Updated Ubuntu Server & Client policies for 20.04 and 22.04 to account for key exchange list changes due to Terrapin vulnerability patches.
  • Re-organized option host key types for OpenSSH 9.2 server policy to correspond with updated Debian 12 hardening guide.
  • Added built-in policies for OpenSSH 9.5 and 9.6.
  • Added an additional_notes field to the JSON output.