Bug#725731: RM: irssi-plugin-otr/0.3-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm The pre-1.0 versions of the OTR plugin are very broken for all software (xchat, irssi, etc) and are considered insecure as OTRv1 is susceptible to downgrade attacks (if my memory is correct). I have been asked by numerous users to remove xchat-otr from squeeze, so here it the formal request. I am going to backport the irssi-otr plugin to wheezy soon, if if there are enough requests, to squeeze-sloppy-backports too. Note, however, that the new version of the package doesn't support xchat anymore, but that is because upstream was never updated. -- System Information: Debian Release: 7.1 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 3.10-0.bpo.2-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131007191458.27953.17881.report...@angela.anarcat.ath.cx
Bug#725731: RM: irssi-plugin-otr/0.3-2
Hi, tl;dr: I support Antoine's proposal to drop from Squeeze and Wheezy any OTR client or plugin that supports both OTRv1 and OTRv2. I strongly doubt we're still shipping anything that supports v1 only, but it would be wise to check. OTRv1 is susceptible to downgrade attacks (if my memory is correct). Some more background info, in case it matters, or if someone is curious: OTRv1 has various security issues known for years, that were fixed in the v2 protocol. Any client supporting both OTRv1 and OTRv2 (such as pidgin-otr 3.x) is subject to downgrade attacks. So, the only safe way these days is to only support OTRv2. It took a while to obsolete older v1-only software, but now I think the time has come when we can reasonably expect v2-only to work for everyone. (Probably OT as far as the release team is concerned: it might be worth filing CVE's against the clients that still support v1 and v2. Antoine, do you want to ask the OTR developers what's their take on it?) I have been asked by numerous users to remove xchat-otr from squeeze, so here it the formal request. I am going to backport the irssi-otr plugin to wheezy soon, if if there are enough requests, to squeeze-sloppy-backports too. FWIW, I had in mind to do basically the same for pidgin-otr, including the RM request, now that the libotr transition is over. (And no, I've not talked to the maintainer yet, not filed any bug report yet, and I've no idea if they're aware of the big picture in which their specific package is taking part. Will do.) Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/85a9ikdff5@boum.org
Bug#725731: RM: irssi-plugin-otr/0.3-2
On 2013-10-07 15:55:26, intrigeri wrote: Hi, (Probably OT as far as the release team is concerned: it might be worth filing CVE's against the clients that still support v1 and v2. Antoine, do you want to ask the OTR developers what's their take on it?) I wouldn't bother, personnally. It took me enough time to file this RM request... :P Cheers, A. -- Travail, du latin Tri Palium trois pieux, instrument de torture. pgp7iVIb8ms5N.pgp Description: PGP signature
Bug#725731: RM: irssi-plugin-otr/0.3-2
Control: tags -1 + squeeze pending Control: retitle -1 RM: irssi-plugin-otr -- RoM; security issues On Mon, 2013-10-07 at 21:14 +0200, Antoine Beaupré wrote: The pre-1.0 versions of the OTR plugin are very broken for all software (xchat, irssi, etc) and are considered insecure as OTRv1 is susceptible to downgrade attacks (if my memory is correct). I have been asked by numerous users to remove xchat-otr from squeeze, so here it the formal request. I am going to backport the irssi-otr plugin to wheezy soon, if if there are enough requests, to squeeze-sloppy-backports too. Added to the to-do list for 6.0.8. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1381177199.6288.21.ca...@jacala.jungle.funky-badger.org
Processed: Re: Bug#725731: RM: irssi-plugin-otr/0.3-2
Processing control commands: tags -1 + squeeze pending Bug #725731 [release.debian.org] RM: irssi-plugin-otr/0.3-2 Added tag(s) squeeze and pending. retitle -1 RM: irssi-plugin-otr -- RoM; security issues Bug #725731 [release.debian.org] RM: irssi-plugin-otr/0.3-2 Changed Bug title to 'RM: irssi-plugin-otr -- RoM; security issues' from 'RM: irssi-plugin-otr/0.3-2' -- 725731: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725731 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b725731.138117721029112.transcr...@bugs.debian.org