shell2http icon indicating copy to clipboard operation
shell2http copied to clipboard
verified publisher icon msoap

Create new shell2http binaries to solve CVE-2016-2183

Open jlvrhee opened this issue 3 years ago • 3 comments

Current version of shell2http binaries are build with old go version which cause our security tooling to report CVE-2016-2183.

This seems to be solved with a new go version: link

Could you please create a new version of shell2http binaries by triggering github-action to publish the compiled code (like was done with last version link )

Thanks for your help

jlvrhee avatar Aug 19 '22 15:08 jlvrhee

@jlvrhee i've created the new release - https://github.com/msoap/shell2http/releases/tag/v1.14.2

msoap avatar Aug 20 '22 17:08 msoap

@msoap Thanks for the quick help. We will install the new version and test to see if the issue is resolved

jlvrhee avatar Aug 23 '22 07:08 jlvrhee

@msoap Unfortunately The new release didn't solve our issue. After some investigation we found that improvents that have been done in the new go versions (crypto/tls package) were related to the client side but not to server side.

Therefor code changes are needed to really solve this issue. Could you please:

  1. Disable TLS1.0 and TLS1.1 or atleast make this configurable, as these are seen as insecure.
  2. Disable old ciphers that support 64 bit blocks. Best would be to only only modern block cipher with 128-bit blocks such as AES. Or atleast make this configurable. See for more info https://sweet32.info/

jlvrhee avatar Aug 29 '22 14:08 jlvrhee