On Thu, Dec 16, 2010 at 04:47:27PM +0000, Colin Watson wrote:
> On Thu, Dec 16, 2010 at 11:18:09AM +0100, Arne Wichmann wrote:
> > It does not look like jpake is enabled in sid:
>
> That's correct. It's disabled upstream and we haven't enabled it. I
> have no intention of enabling it until upstream say it's OK to do so
> (which will probably consist of enabling it by default).
>
> Here's the upstream commit message:
>
> - d...@cvs.openbsd.org 2010/09/20 04:50:53
> [jpake.c schnorr.c]
> check that received values are smaller than the group size in the
> disabled and unfinished J-PAKE code.
> avoids catastrophic security failure found by Sebastien Martini
>
> Michael, thanks for the heads-up, but I don't see any need to spend time
> backporting this. Anyone who goes in, enables this against the advice
> of upstream, and deploys it on a publicly-visible system deserves what
> they get! If you're going to use experimental authentication modes,
> then you at least need to use current CVS HEAD.
>
> I'm closing this bug, and I recommend the security team mark it as "no
> fix needed".
I'll mark openssh as non-affected in the security tracker. (Since it's
not enabled)
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
