Date: Mon, 03 Feb 2014 01:13:06 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Re: OpenSSH J-PAKE vulnerability (no cause for panic! remain calm!) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/29/2014 06:50 AM, cve-assign@...re.org wrote: > Use CVE-2014-1692. The CVE description will indicate that the > issue requires an unusual installation. > >> As I understand it this can be enabled via code edit/gcc command >> line options, so not sure if this qualified for a CVE or not >> (vuln in code, yes, is code reachable? not under any default >> setup, and even on non-default you have to go pretty far off to >> enable it). > > An impact on the default installation isn't necessary. > Vulnerabilities that occur only after the user modifies code aren't > eligible for a CVE. However, if there's some type of "installation > option" mentioned by the vendor, someone may have chosen that > option, and it may be worthwhile to track the issue with a CVE. The > nature of an "installation option" obviously varies widely across > both open-source and closed-source products. > > In this case, there's: > >> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/Makefile.inc > >> Add support for an experimental zero-knowledge password >> authentication method using the J-PAKE protocol ... > >> This is experimental, work-in-progress code and is presently >> compiled-time disabled (turn on -DJPAKE in Makefile.inc). > >> http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/Makefile.inc?rev=1.41;content-type=text%2Fplain > >> #CFLAGS+= -DJPAKE > > This is close to the edge of what "installation option" means, but > our feeling is that the vendor wouldn't have provided that #CFLAGS > line at all unless it were expected that an end user might want to > make the one-character change. Just to close this email thread, Mitre assigned one: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1692 - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJS70+RAAoJEBYNRVNeJnmT5V4P/RDdFaGl0YNanqE4OU8Xu6qz a//9Aupt8DPYgSFq9UvIJHMpK8+PBH5SIqM2byGOvAwActrK4qDrwcgdng1LKbEz IqFHycNfwW4y5EB2hSd28d0WvPlsdBLekc4hClLXfek5P8nwFeixb7SW7zp6SzSb BIT9z4L77a1V/u2F4LtMwGPEIebGOZzpaLPwKeRZDhigZ3IvYG7q7FiukiJiUio8 Zx8gw6912Uh43J23Dd9gsUtm/cRZ0vjzfgvJlyNX++ew0bKT7s8uVUHWar//KuXF oT2PVORkQLfJ1zRvHw8FW+pBsCWVYhdeSQ2caf+Y0/03WXoRm6IU2StI/4i2nb32 o6tf1hBt45QtfYduI9h378tINQhzKgR23OPUXmc8ZE8lp9kLH4P1+yhiEovJU/u4 oo6FivRmYBlvVoGx7LbLHEIPQaR0xgdSb9j6E7eaGzFT1a9UhaCS0nCAn0tyaeT5 SHFGKIl+s99pU5JGyl5Wm2TFe0aVt0USf78GyovqzW4OT+g/llmBQH4MCS4OJdak KZtDOvTBn1CDTutNQL2nnd9geaQlPJeFTd+RFbi1dwRz9Dd+N6AR1/P8At2lzNqX DN9wP4Xpuzk696+Ij4mvvLupwiL9bDSGsy4H7UcmEZCUmQf6+JCztFEO3YjITdai VjBpviosVXRv/n4qDGRf =WJSy -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.