Bumped version to 3.1.0 in preparation for stable release. Updated Change Log in README.

Updated notes on fixing Terrapin vulnerability.
2026-05-25 23:41:22 +02:00 · 2023-12-20 13:12:13 -05:00 · 2023-12-20 12:11:55 -05:00
3 changed files with 7 additions and 7 deletions
@@ -151,7 +151,7 @@ Below is a screen shot of the client-auditing output when an unhardened OpenSSH
 Guides to harden server & client configuration can be found here: [https://www.ssh-audit.com/hardening_guides.html](https://www.ssh-audit.com/hardening_guides.html)

 ## Pre-Built Packages
-Pre-built packages are available for Windows (see the releases page), PyPI, Snap, and Docker:
+Pre-built packages are available for Windows (see the [Releases](https://github.com/jtesta/ssh-audit/releases) page), PyPI, Snap, and Docker:

 To install from PyPI:
 ```
@@ -178,16 +178,16 @@ For convenience, a web front-end on top of the command-line tool is available at

 ## ChangeLog

-### v3.1.0-dev (???)
+### v3.1.0 (2023-12-20)
 - Added test for the Terrapin message prefix truncation vulnerability ([CVE-2023-48795](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795)).
 - Dropped support for Python 3.7 (EOL was reached in June 2023).
- - Added Python 3.12 to Tox tests.
- - In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match online hardening guides (note that 3072-bit moduli provide the equivalent of 128-bit symmetric security).
+ - Added Python 3.12 support.
+ - In server policies, reduced expected DH modulus sizes from 4096 to 3072 to match the [online hardening guides](https://ssh-audit.com/hardening_guides.html) (note that 3072-bit moduli provide the equivalent of 128-bit symmetric security).
 - In Ubuntu 22.04 client policy, moved host key types `sk-ssh-ed25519@openssh.com` and `ssh-ed25519` to the end of all certificate types.
 - Updated Ubuntu Server & Client policies for 20.04 and 22.04 to account for key exchange list changes due to Terrapin vulnerability patches.
 - Re-organized option host key types for OpenSSH 9.2 server policy to correspond with updated Debian 12 hardening guide.
 - Added built-in policies for OpenSSH 9.5 and 9.6.
- - Added an "additional_notes" field to the JSON output.
+ - Added an `additional_notes` field to the JSON output.

 ### v3.0.0 (2023-09-07)
 - Results from concurrent scans against multiple hosts are no longer improperly combined; bug discovered by [Adam Russell](https://github.com/thecliguy).
@@ -22,7 +22,7 @@
   THE SOFTWARE.
 """
 # The version to display.
-VERSION = 'v3.1.0-dev'
+VERSION = 'v3.1.0'

 # SSH software to impersonate
 SSH_HEADER = 'SSH-{0}-OpenSSH_8.2'
@@ -593,7 +593,7 @@ def post_process_findings(banner: Optional[Banner], algs: Algorithms, client_aud
    # Return a note telling the user that, while this target is properly configured, if connected to a vulnerable peer, then a vulnerable connection is still possible.
    notes = ""
    if len(algs_to_note) > 0:
-        notes = "Be aware that, while this target properly supports the strict key exchange method (via the kex-strict-?-v00@openssh.com marker) needed to protect against the Terrapin vulnerability (CVE-2023-48795), all peers must also support this feature as well, otherwise the vulnerability will still be present.  The following algorithms would allow an unpatched peer to create vulnerable SSH channels with this target: %s" % ", ".join(algs_to_note)
+        notes = "Be aware that, while this target properly supports the strict key exchange method (via the kex-strict-?-v00@openssh.com marker) needed to protect against the Terrapin vulnerability (CVE-2023-48795), all peers must also support this feature as well, otherwise the vulnerability will still be present.  The following algorithms would allow an unpatched peer to create vulnerable SSH channels with this target: %s.  If any CBC ciphers are in this list, you may remove them while leaving the *-etm@openssh.com MACs in place; these MACs are fine while paired with non-CBC cipher types." % ", ".join(algs_to_note)

    # Add the chacha ciphers, CBC ciphers, and ETM MACs to the recommendation suppression list if they are not enabled on the server.  That way they are not recommended to the user to enable if they were explicitly disabled to handle the Terrapin vulnerability.  However, they can still be recommended for disabling.
    algorithm_recommendation_suppress_list += _get_chacha_ciphers_not_enabled(db, algs)
Author	SHA1	Message	Date
Joe Testa	dd91c2a41a	Bumped version to 3.1.0 in preparation for stable release. Updated Change Log in README.	2023-12-20 13:12:13 -05:00
Joe Testa	bef8c6c0f7	Updated notes on fixing Terrapin vulnerability.	2023-12-20 12:11:55 -05:00