On Sun, Dec 12, 2010 at 04:04:38PM -0500, Michael Gilbert wrote: > > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for openssl. > > CVE-2010-4252[0]: > | OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly > | validate the public parameters in the J-PAKE protocol, which allows > | remote attackers to bypass the need for knowledge of the shared > | secret, and successfully authenticate, by sending crafted values in > | each round of the protocol.
I knew about it. > Note that -DOPENSSL_NO_JPAKE appears to be set currently, so the > as-built version isn't affected. So what's the point of filing this bug? I don't plan to fix a bug that doesn't effect us. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
