Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 Jan 2014 14:47:07 +1100
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE needed for libotr's support for OTR v1?

Hello,

Is a CVE needed for versions of libotr that support OTR v1? Quoting the 
Debian bug[1]:

""
as you are surely aware of, it's been known [1] since 2006 that
clients supporting both OTRv1 and v2 (such as libotr 3.x) are subject
to protocol downgrade attacks clients. It's also been known for
a while that OTRv1 has serious security issues (that were the main
reason for a v2, actually). In short, support v2 only is the only safe
way to go these days.

[1] http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.165.7945
""

Ubuntu advisory: http://www.ubuntu.com/usn/usn-2091-1/
Launchpad bug: https://bugs.launchpad.net/ubuntu/+source/libotr/+bug/1266016

Thanks,

--
Murray McAllister / Red Hat Security Response Team

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725779

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ