[Pkg-openssl-devel] Bug#606902: Bug#606902: openssl: cve-2010-4252 j-pake issue
Kurt Roeckx
kurt at roeckx.be
Sun Dec 12 22:34:49 UTC 2010
On Sun, Dec 12, 2010 at 04:04:38PM -0500, Michael Gilbert wrote:
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for openssl.
>
> CVE-2010-4252[0]:
> | OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly
> | validate the public parameters in the J-PAKE protocol, which allows
> | remote attackers to bypass the need for knowledge of the shared
> | secret, and successfully authenticate, by sending crafted values in
> | each round of the protocol.
I knew about it.
> Note that -DOPENSSL_NO_JPAKE appears to be set currently, so the
> as-built version isn't affected.
So what's the point of filing this bug?
I don't plan to fix a bug that doesn't effect us.
Kurt
More information about the Pkg-openssl-devel
mailing list