Package: openssh Version: 1:5.5p1-5 Severity: serious Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for openssh.
CVE-2010-4478[0]: | OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly | validate the public parameters in the J-PAKE protocol, which allows | remote attackers to bypass the need for knowledge of the shared | secret, and successfully authenticate, by sending crafted values in | each round of the protocol, a related issue to CVE-2010-4252. It does look like jpake is build for openssh. I've checked the version in squeeze and it has the vulnerable code. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4478 http://security-tracker.debian.org/tracker/CVE-2010-4478 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
