[Pkg-openssl-devel] Bug#606902: openssl: cve-2010-4252 j-pake issue
Michael Gilbert
michael.s.gilbert at gmail.com
Sun Dec 12 21:04:38 UTC 2010
Package: openssl
Version: 0.9.8o-3
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openssl.
CVE-2010-4252[0]:
| OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly
| validate the public parameters in the J-PAKE protocol, which allows
| remote attackers to bypass the need for knowledge of the shared
| secret, and successfully authenticate, by sending crafted values in
| each round of the protocol.
Note that -DOPENSSL_NO_JPAKE appears to be set currently, so the
as-built version isn't affected. Please close this bug when an upstream
version with the fix is uploaded.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4252
http://security-tracker.debian.org/tracker/CVE-2010-4252
More information about the Pkg-openssl-devel
mailing list