Your message dated Sun, 12 Dec 2010 23:50:12 +0100
with message-id <[email protected]>
and subject line Re: [Pkg-openssl-devel] Bug#606902: Bug#606902: openssl:
cve-2010-4252 j-pake issue
has caused the Debian Bug report #606902,
regarding openssl: cve-2010-4252 j-pake issue
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
606902: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606902
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssl
Version: 0.9.8o-3
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openssl.
CVE-2010-4252[0]:
| OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly
| validate the public parameters in the J-PAKE protocol, which allows
| remote attackers to bypass the need for knowledge of the shared
| secret, and successfully authenticate, by sending crafted values in
| each round of the protocol.
Note that -DOPENSSL_NO_JPAKE appears to be set currently, so the
as-built version isn't affected. Please close this bug when an upstream
version with the fix is uploaded.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4252
http://security-tracker.debian.org/tracker/CVE-2010-4252
--- End Message ---
--- Begin Message ---
On Sun, Dec 12, 2010 at 05:38:21PM -0500, Michael Gilbert wrote:
> On Sun, Dec 12, 2010 at 5:34 PM, Kurt Roeckx wrote:
> > On Sun, Dec 12, 2010 at 04:04:38PM -0500, Michael Gilbert wrote:
> >>
> >> Hi,
> >> the following CVE (Common Vulnerabilities & Exposures) id was
> >> published for openssl.
> >>
> >> CVE-2010-4252[0]:
> >> | OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly
> >> | validate the public parameters in the J-PAKE protocol, which allows
> >> | remote attackers to bypass the need for knowledge of the shared
> >> | secret, and successfully authenticate, by sending crafted values in
> >> | each round of the protocol.
> >
> > I knew about it.
> >
> >> Note that -DOPENSSL_NO_JPAKE appears to be set currently, so the
> >> as-built version isn't affected.
> >
> > So what's the point of filing this bug?
>
> Like I said to track upstream progress, and to keep a record in case
> it does get enabled by default.
It's fix in 1.0.0c and 0.9.8q.
> > I don't plan to fix a bug that doesn't effect us.
>
> Of course.
So I'm just closing it.
Kurt
--- End Message ---
