Package: openssl Version: 0.9.8o-3 Severity: important Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for openssl.
CVE-2010-4252[0]: | OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly | validate the public parameters in the J-PAKE protocol, which allows | remote attackers to bypass the need for knowledge of the shared | secret, and successfully authenticate, by sending crafted values in | each round of the protocol. Note that -DOPENSSL_NO_JPAKE appears to be set currently, so the as-built version isn't affected. Please close this bug when an upstream version with the fix is uploaded. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4252 http://security-tracker.debian.org/tracker/CVE-2010-4252 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
