Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 03 Feb 2014 01:13:06 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: OpenSSH J-PAKE vulnerability (no cause for
 panic! remain calm!)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/29/2014 06:50 AM, cve-assign@...re.org wrote:
> Use CVE-2014-1692. The CVE description will indicate that the
> issue requires an unusual installation.
> 
>> As I understand it this can be enabled via code edit/gcc command
>> line options, so not sure if this qualified for a CVE or not
>> (vuln in code, yes, is code reachable? not under any default
>> setup, and even on non-default you have to go pretty far off to
>> enable it).
> 
> An impact on the default installation isn't necessary.
> Vulnerabilities that occur only after the user modifies code aren't
> eligible for a CVE. However, if there's some type of "installation
> option" mentioned by the vendor, someone may have chosen that
> option, and it may be worthwhile to track the issue with a CVE. The
> nature of an "installation option" obviously varies widely across
> both open-source and closed-source products.
> 
> In this case, there's:
> 
>> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/Makefile.inc
>
>>  Add support for an experimental zero-knowledge password
>> authentication method using the J-PAKE protocol ...
> 
>> This is experimental, work-in-progress code and is presently 
>> compiled-time disabled (turn on -DJPAKE in Makefile.inc).
> 
>> http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/Makefile.inc?rev=1.41;content-type=text%2Fplain
>
>>  #CFLAGS+=	-DJPAKE
> 
> This is close to the edge of what "installation option" means, but
> our feeling is that the vendor wouldn't have provided that #CFLAGS
> line at all unless it were expected that an end user might want to
> make the one-character change.

Just to close this email thread, Mitre assigned one:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1692

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJS70+RAAoJEBYNRVNeJnmT5V4P/RDdFaGl0YNanqE4OU8Xu6qz
a//9Aupt8DPYgSFq9UvIJHMpK8+PBH5SIqM2byGOvAwActrK4qDrwcgdng1LKbEz
IqFHycNfwW4y5EB2hSd28d0WvPlsdBLekc4hClLXfek5P8nwFeixb7SW7zp6SzSb
BIT9z4L77a1V/u2F4LtMwGPEIebGOZzpaLPwKeRZDhigZ3IvYG7q7FiukiJiUio8
Zx8gw6912Uh43J23Dd9gsUtm/cRZ0vjzfgvJlyNX++ew0bKT7s8uVUHWar//KuXF
oT2PVORkQLfJ1zRvHw8FW+pBsCWVYhdeSQ2caf+Y0/03WXoRm6IU2StI/4i2nb32
o6tf1hBt45QtfYduI9h378tINQhzKgR23OPUXmc8ZE8lp9kLH4P1+yhiEovJU/u4
oo6FivRmYBlvVoGx7LbLHEIPQaR0xgdSb9j6E7eaGzFT1a9UhaCS0nCAn0tyaeT5
SHFGKIl+s99pU5JGyl5Wm2TFe0aVt0USf78GyovqzW4OT+g/llmBQH4MCS4OJdak
KZtDOvTBn1CDTutNQL2nnd9geaQlPJeFTd+RFbi1dwRz9Dd+N6AR1/P8At2lzNqX
DN9wP4Xpuzk696+Ij4mvvLupwiL9bDSGsy4H7UcmEZCUmQf6+JCztFEO3YjITdai
VjBpviosVXRv/n4qDGRf
=WJSy
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.