Bug#725731: RM: irssi-plugin-otr/0.3-2
Hi,
tl;dr: I support Antoine's proposal to drop from Squeeze and Wheezy
any OTR client or plugin that supports both OTRv1 and OTRv2.
I strongly doubt we're still shipping anything that supports v1 only,
but it would be wise to check.
> OTRv1 is susceptible to downgrade attacks (if my memory is correct).
Some more background info, in case it matters, or if someone is
curious: OTRv1 has various security issues known for years, that were
fixed in the v2 protocol. Any client supporting both OTRv1 and OTRv2
(such as pidgin-otr 3.x) is subject to downgrade attacks. So, the only
safe way these days is to only support OTRv2. It took a while to
obsolete older v1-only software, but now I think the time has come
when we can reasonably expect v2-only to work for everyone.
(Probably OT as far as the release team is concerned: it might be
worth filing CVE's against the clients that still support v1 and v2.
Antoine, do you want to ask the OTR developers what's their take
on it?)
> I have been asked by numerous users to remove xchat-otr from squeeze,
> so here it the formal request. I am going to backport the irssi-otr
> plugin to wheezy soon, if if there are enough requests, to
> squeeze-sloppy-backports too.
FWIW, I had in mind to do basically the same for pidgin-otr, including
the RM request, now that the libotr transition is over. (And no, I've
not talked to the maintainer yet, not filed any bug report yet, and
I've no idea if they're aware of the big picture in which their
specific package is taking part. Will do.)
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
Reply to: