Bug#606922: jpake not enabled in sid

[Moritz Muehlenhoff <jmm@inutil.org>]

On Thu, Dec 16, 2010 at 04:47:27PM +0000, Colin Watson wrote:
> On Thu, Dec 16, 2010 at 11:18:09AM +0100, Arne Wichmann wrote:
> > It does not look like jpake is enabled in sid:
> 
> That's correct.  It's disabled upstream and we haven't enabled it.  I
> have no intention of enabling it until upstream say it's OK to do so
> (which will probably consist of enabling it by default).
> 
> Here's the upstream commit message:
> 
>    - djm@cvs.openbsd.org 2010/09/20 04:50:53
>      [jpake.c schnorr.c]
>      check that received values are smaller than the group size in the
>      disabled and unfinished J-PAKE code.
>      avoids catastrophic security failure found by Sebastien Martini
> 
> Michael, thanks for the heads-up, but I don't see any need to spend time
> backporting this.  Anyone who goes in, enables this against the advice
> of upstream, and deploys it on a publicly-visible system deserves what
> they get!  If you're going to use experimental authentication modes,
> then you at least need to use current CVS HEAD.
> 
> I'm closing this bug, and I recommend the security team mark it as "no
> fix needed".

I'll mark openssh as non-affected in the security tracker. (Since it's
not enabled)

Cheers,
        Moritz