oss-sec mailing list archives
CVE needed for libotr's support for OTR v1?
From: Murray McAllister <mmcallis () redhat com>
Date: Fri, 31 Jan 2014 14:47:07 +1100
Hello,Is a CVE needed for versions of libotr that support OTR v1? Quoting the Debian bug[1]:
"" as you are surely aware of, it's been known [1] since 2006 that clients supporting both OTRv1 and v2 (such as libotr 3.x) are subject to protocol downgrade attacks clients. It's also been known for a while that OTRv1 has serious security issues (that were the main reason for a v2, actually). In short, support v2 only is the only safe way to go these days. [1] http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.165.7945 "" Ubuntu advisory: http://www.ubuntu.com/usn/usn-2091-1/ Launchpad bug: https://bugs.launchpad.net/ubuntu/+source/libotr/+bug/1266016 Thanks, -- Murray McAllister / Red Hat Security Response Team [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725779
Current thread:
- CVE needed for libotr's support for OTR v1? Murray McAllister (Jan 30)
- Re: CVE needed for libotr's support for OTR v1? cve-assign (Feb 03)