[jbj]

I have been using mosh on and off, and actually appreciated that the software was so robust that it just works without frequent updates, and as far as I understand, most security is in ssh, so there would not really be a need for a new version.

[loeg]

Your understanding is sort of mistaken. Mosh does an initial handshake over ssh, but after that it’s a custom UDP protocol. There have been and could be more security bugs in that UDP protocol.

[achernya]

The only mosh CVE [1] was in the terminal emulator (a DoS that could only be triggered by a local user), not in the protocol. There have been no vulnerabilities in mosh's UDP protocol.

[1] https://nvd.nist.gov/vuln/detail/CVE-2012-2385

[nibbleshifter]

yet.

I wonder if anyone's thrown a fuzzer at it.

[achernya]

Yes, mosh has fuzz tests in oss-fuzz [1].

[1] https://github.com/google/oss-fuzz/tree/master/projects/mosh

[jbj]

Ahh, thanks for clarifying! Yes, in that case it is very appreciated to see recent updates.