Your message dated Fri, 17 Dec 2010 10:18:29 +0100 with message-id <20101217091829.GT5063@radis.liafa.jussieu.fr> and subject line Re: Bug#606922: closed by Colin Watson <cjwatson@debian.org> (Re: Bug#606922: jpake not enabled in sid) has caused the Debian Bug report #606922, regarding openssh: cve-2010-4478 jpake issue to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 606922: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606922 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: openssh: cve-2010-4478 jpake issue
- From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Date: Sun, 12 Dec 2010 19:31:30 -0500
- Message-id: <[🔎] AANLkTimwHC8cVM7VTUuKx2dBVzdWnpp9vEV6h_0Qsvpn@mail.gmail.com>
Package: openssh Version: 1:5.5p1-5 Severity: serious Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for openssh. CVE-2010-4478[0]: | OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly | validate the public parameters in the J-PAKE protocol, which allows | remote attackers to bypass the need for knowledge of the shared | secret, and successfully authenticate, by sending crafted values in | each round of the protocol, a related issue to CVE-2010-4252. It does look like jpake is build for openssh. I've checked the version in squeeze and it has the vulnerable code. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4478 http://security-tracker.debian.org/tracker/CVE-2010-4478
--- End Message ---
--- Begin Message ---
- To: Michael Gilbert <michael.s.gilbert@gmail.com>, 606922-done@bugs.debian.org
- Subject: Re: Bug#606922: closed by Colin Watson <cjwatson@debian.org> (Re: Bug#606922: jpake not enabled in sid)
- From: Julien Cristau <jcristau@debian.org>
- Date: Fri, 17 Dec 2010 10:18:29 +0100
- Message-id: <20101217091829.GT5063@radis.liafa.jussieu.fr>
- In-reply-to: <[🔎] AANLkTimG827kXOUsKVKCJ3d9VrkignfNwD2SzEfpdZ9U@mail.gmail.com>
- References: <20101216164727.GR12396@riva.ucam.org> <[🔎] AANLkTimwHC8cVM7VTUuKx2dBVzdWnpp9vEV6h_0Qsvpn@mail.gmail.com> <handler.606922.D606922.129251805223278.notifdone@bugs.debian.org> <[🔎] AANLkTi=jg2PpmUr_ZCe33x6s_zpPK59ajU8gd=m75mFq@mail.gmail.com> <[🔎] 87fwtxdjy8.fsf@windlord.stanford.edu> <[🔎] AANLkTimG827kXOUsKVKCJ3d9VrkignfNwD2SzEfpdZ9U@mail.gmail.com>
On Fri, Dec 17, 2010 at 02:14:23 -0500, Michael Gilbert wrote: > This appears to be true, but I would be more comfortable if the object > code were explicitly not built and thus 100% known to not be used or > available in any of the libs. > Making you comfortable is not release critical. Closing again. Cheers, JulienAttachment: signature.asc
Description: Digital signature
--- End Message ---