On Sun, Dec 12, 2010 at 5:34 PM, Kurt Roeckx wrote: > On Sun, Dec 12, 2010 at 04:04:38PM -0500, Michael Gilbert wrote: >> >> Hi, >> the following CVE (Common Vulnerabilities & Exposures) id was >> published for openssl. >> >> CVE-2010-4252[0]: >> | OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly >> | validate the public parameters in the J-PAKE protocol, which allows >> | remote attackers to bypass the need for knowledge of the shared >> | secret, and successfully authenticate, by sending crafted values in >> | each round of the protocol. > > I knew about it. > >> Note that -DOPENSSL_NO_JPAKE appears to be set currently, so the >> as-built version isn't affected. > > So what's the point of filing this bug?
Like I said to track upstream progress, and to keep a record in case it does get enabled by default. > I don't plan to fix a bug that doesn't effect us. Of course. Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
