> CVE-2010-4478[0]: > | OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly > | validate the public parameters in the J-PAKE protocol, which allows > | remote attackers to bypass the need for knowledge of the shared > | secret, and successfully authenticate, by sending crafted values in > | each round of the protocol, a related issue to CVE-2010-4252. > > It does look like jpake is build for openssh. I've checked the version > in squeeze and it has the vulnerable code.
Quoting from http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf : | This issue affects the implementations of J-PAKE [1] in OpenSSL [2] | and OpenSSH [3]. These implementations referred as experimental [4, 5] ^^^^^^^^^^^^ | and work-in-progress ^^^^^^^^^^^^^^^^ As such, we should simply disable J-PAKE for now. It wasn't in Lenny, so it's not a regression, either. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
