Your message dated Wed, 01 Jan 2014 22:32:05 +0000
with message-id <[email protected]>
and subject line Bug#725779: fixed in libotr 3.2.1-1+deb7u1
has caused the Debian Bug report #725779,
regarding libotr: OTR clients supporting both OTRv1 and v2 are subject to
protocol downgrade attacks
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
725779: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725779
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libotr
Version: 3.2.1-1
Severity: important
X-Debbugs-Cc: [email protected], [email protected], [email protected]
Control: tag -1 + security
Control: found -1 3.2.0-2+squeeze1
Hi,
as you are surely aware of, it's been known [1] since 2006 that
clients supporting both OTRv1 and v2 (such as libotr 3.x) are subject
to protocol downgrade attacks clients. It's also been known for
a while that OTRv1 has serious security issues (that were the main
reason for a v2, actually). In short, support v2 only is the only safe
way to go these days.
[1] http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.165.7945
It took a while to obsolete older v1-only software, and another while
to complete the libotr 4.x transition and get to a sane state in
Debian testing. Now, I think the time has come when we can reasonably
expect v2-only to work for everyone.
I think that the only reasonable course of action from now on is to
patch libotr in stable and oldstable to only support OTR v1.
Thoughts?
JFTR, libotr 4.x (testing/sid) is not affected by these issues (fixed
in upstream commit 7ffba65f).
(The only alternative I can think of would be to remove it from
stable, remove all reverse-deps that are useless without OTR support
(e.g. pidgin-otr), patch all reverse-deps that are useful without OTR
support (e.g. kopete) to drop it, and prepare tons of backports.
This requires tons of work, coordination with many package
maintainers, and approval from the release team. I don't think we want
to go this way.)
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--- End Message ---
--- Begin Message ---
Source: libotr
Source-Version: 3.2.1-1+deb7u1
We believe that the bug you reported is fixed in the latest version of
libotr, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
intrigeri <[email protected]> (supplier of updated libotr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Dec 2013 11:35:06 +0100
Source: libotr
Binary: libotr2 libotr2-bin libotr2-dev
Architecture: source amd64
Version: 3.2.1-1+deb7u1
Distribution: stable
Urgency: medium
Maintainer: Thibaut VARENE <[email protected]>
Changed-By: intrigeri <[email protected]>
Description:
libotr2 - Off-the-Record Messaging library
libotr2-bin - toolkit for Off-the-Record Messaging library
libotr2-dev - Off-the-Record Messaging library development files
Closes: 725779
Changes:
libotr (3.2.1-1+deb7u1) stable; urgency=medium
.
* Non-maintainer upload with maintainer's agreement.
* Disable insecure OTRv1 protocol (Closes: #725779)
Checksums-Sha1:
2fd0c88aaa508ab2b42547b2ed06f429e8ce8b16 1845 libotr_3.2.1-1+deb7u1.dsc
cc5d46301431fde524bd03f4a343871d974cc9a1 4714
libotr_3.2.1-1+deb7u1.debian.tar.gz
adf722c14b0d7f8e7e87a3b78be04b815cef9673 76966 libotr2_3.2.1-1+deb7u1_amd64.deb
e2f96a7af10e26cf79758f4c5965abfcac5a745a 41930
libotr2-bin_3.2.1-1+deb7u1_amd64.deb
982de51ff6e83c30c5a35436f11c310f97bb5229 66864
libotr2-dev_3.2.1-1+deb7u1_amd64.deb
Checksums-Sha256:
7bc5458080923dd9a669b59c59a9b829e2d909f17b93a9b171940be891b366e7 1845
libotr_3.2.1-1+deb7u1.dsc
1fc19e3e0dfde76675143dc28f2cc68d1528ba0150b8bcaa0c4cf744fd8d3aab 4714
libotr_3.2.1-1+deb7u1.debian.tar.gz
be6ad3d1321907cca9e1629fb41e64623c6e16294cf5366942919b6a7d3bcb9c 76966
libotr2_3.2.1-1+deb7u1_amd64.deb
f68a6f2a682c62fbda57dbf402620a349736f11cc348d755e9a70287e4f8d403 41930
libotr2-bin_3.2.1-1+deb7u1_amd64.deb
3714f584731857dbf99df98eea1883a3d14db87ba271a99a66c5007dce62b607 66864
libotr2-dev_3.2.1-1+deb7u1_amd64.deb
Files:
ee2885b66af8c0f354bb61beac2f2eff 1845 libs optional libotr_3.2.1-1+deb7u1.dsc
afe061405490a7c77124d83aa11d8e50 4714 libs optional
libotr_3.2.1-1+deb7u1.debian.tar.gz
2548babaea3a8213038c080807223390 76966 libs optional
libotr2_3.2.1-1+deb7u1_amd64.deb
6fd20010384c9771ea8f717a3c9d288f 41930 misc optional
libotr2-bin_3.2.1-1+deb7u1_amd64.deb
015cba1ec3869bbac5e0dc485bf0dcd4 66864 libdevel optional
libotr2-dev_3.2.1-1+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJStx4NAAoJELrOFdKldJj/eDUP/jIRGZrJ/kFCEIx1+0js1Sd9
uDTQZ8yLMhpYe7KiBWSzpOL4TMsMy2DaQDSksujrYVQDOQbUAe3GoYMnHNJIUSdu
cMuVwpkoUgJLV1IJeflWrIv4mIKpEy8Rwz5oRcGX+XkxE5mzUYVINR2w30Z5k37K
3WfrbAV/SSCBUgTa1yHSGKKeQ9TflHlaL7pGLtKWJ23RpInCai9ZyOVeGhRhPvSN
7J+FqWyyl5sRjQ4Z+KIU+Rv8y0Cka3rKrpJI8FNNSK3iXIXEMaO9JQtgW/i4d4tT
ub2N4qjW+qiR915AadXSHmyW20Y8Rn0dtjtPahilFQmX9SBNHqE0IRLR7lWkol50
ekdR9iHfp6WG6Fz0SDrdIO5qSxK0y+Wr9oq38hXP439FMl6zqu/8UoYJGASxExmr
6zbHC5OKnATHvnFN+mfa36Aiz7US/zf8LT4ktR2Pnzeu7vC0jxWGbS0PPUfM2wQK
JCtjhs5FHN4n9DgFvpaHZfrki6jcJSsaBZdzZqnjmYe8kPUhpmth8sXfVEwlRye9
XgDuW/qsm7lyoyDb/Kuvs2dnH6QLdU1NzchFaco5UbtQCAmPWTeUBitBiaQ4mYUw
CFBYcnc3mhE+v6OvW5qvaY1/Ckk3o/xSRiQGLYjH4ittopa0Zd87NR8FRbrwSTlS
IOTzeTS1E3wRNaQRYKSj
=lrBi
-----END PGP SIGNATURE-----
--- End Message ---
