Bug#606922: marked as done (openssh: cve-2010-4478 jpake issue)

Fri, 17 Dec 2010 01:21:35 -0800 

Your message dated Fri, 17 Dec 2010 10:18:29 +0100
with message-id <20101217091829.gt5...@radis.liafa.jussieu.fr>
and subject line Re: Bug#606922: closed by Colin Watson <cjwat...@debian.org> 
(Re: Bug#606922: jpake not enabled in sid)
has caused the Debian Bug report #606922,
regarding openssh: cve-2010-4478 jpake issue
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
606922: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606922
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh
Version: 1:5.5p1-5
Severity: serious
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openssh.

CVE-2010-4478[0]:
| OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly
| validate the public parameters in the J-PAKE protocol, which allows
| remote attackers to bypass the need for knowledge of the shared
| secret, and successfully authenticate, by sending crafted values in
| each round of the protocol, a related issue to CVE-2010-4252.

It does look like jpake is build for openssh.  I've checked the version
in squeeze and it has the vulnerable code.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4478
    http://security-tracker.debian.org/tracker/CVE-2010-4478

--- End Message ---
--- Begin Message --- 
On Fri, Dec 17, 2010 at 02:14:23 -0500, Michael Gilbert wrote:

> This appears to be true, but I would be more comfortable if the object
> code were explicitly not built and thus 100% known to not be used or
> available in any of the libs.
> 
Making you comfortable is not release critical.  Closing again.

Cheers,
Julien

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply via email to