oss-sec mailing list archives
Re: Re: OpenSSH J-PAKE vulnerability (no cause for panic! remain calm!)
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 03 Feb 2014 01:13:06 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/29/2014 06:50 AM, cve-assign () mitre org wrote:
Use CVE-2014-1692. The CVE description will indicate that the issue requires an unusual installation.As I understand it this can be enabled via code edit/gcc command line options, so not sure if this qualified for a CVE or not (vuln in code, yes, is code reachable? not under any default setup, and even on non-default you have to go pretty far off to enable it).An impact on the default installation isn't necessary. Vulnerabilities that occur only after the user modifies code aren't eligible for a CVE. However, if there's some type of "installation option" mentioned by the vendor, someone may have chosen that option, and it may be worthwhile to track the issue with a CVE. The nature of an "installation option" obviously varies widely across both open-source and closed-source products. In this case, there's:http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/Makefile.incAdd support for an experimental zero-knowledge password authentication method using the J-PAKE protocol ...This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc).http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/Makefile.inc?rev=1.41;content-type=text%2Fplain#CFLAGS+= -DJPAKEThis is close to the edge of what "installation option" means, but our feeling is that the vendor wouldn't have provided that #CFLAGS line at all unless it were expected that an end user might want to make the one-character change.
Just to close this email thread, Mitre assigned one: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1692 - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJS70+RAAoJEBYNRVNeJnmT5V4P/RDdFaGl0YNanqE4OU8Xu6qz a//9Aupt8DPYgSFq9UvIJHMpK8+PBH5SIqM2byGOvAwActrK4qDrwcgdng1LKbEz IqFHycNfwW4y5EB2hSd28d0WvPlsdBLekc4hClLXfek5P8nwFeixb7SW7zp6SzSb BIT9z4L77a1V/u2F4LtMwGPEIebGOZzpaLPwKeRZDhigZ3IvYG7q7FiukiJiUio8 Zx8gw6912Uh43J23Dd9gsUtm/cRZ0vjzfgvJlyNX++ew0bKT7s8uVUHWar//KuXF oT2PVORkQLfJ1zRvHw8FW+pBsCWVYhdeSQ2caf+Y0/03WXoRm6IU2StI/4i2nb32 o6tf1hBt45QtfYduI9h378tINQhzKgR23OPUXmc8ZE8lp9kLH4P1+yhiEovJU/u4 oo6FivRmYBlvVoGx7LbLHEIPQaR0xgdSb9j6E7eaGzFT1a9UhaCS0nCAn0tyaeT5 SHFGKIl+s99pU5JGyl5Wm2TFe0aVt0USf78GyovqzW4OT+g/llmBQH4MCS4OJdak KZtDOvTBn1CDTutNQL2nnd9geaQlPJeFTd+RFbi1dwRz9Dd+N6AR1/P8At2lzNqX DN9wP4Xpuzk696+Ij4mvvLupwiL9bDSGsy4H7UcmEZCUmQf6+JCztFEO3YjITdai VjBpviosVXRv/n4qDGRf =WJSy -----END PGP SIGNATURE-----
Current thread:
- OpenSSH J-PAKE vulnerability (no cause for panic! remain calm!) Kurt Seifried (Jan 28)
- Re: OpenSSH J-PAKE vulnerability (no cause for panic! remain calm!) cve-assign (Jan 29)
- Re: Re: OpenSSH J-PAKE vulnerability (no cause for panic! remain calm!) Kurt Seifried (Feb 03)
- Re: OpenSSH J-PAKE vulnerability (no cause for panic! remain calm!) cve-assign (Jan 29)