[Pkg-openssl-devel] Bug#606902: Bug#606902: openssl: cve-2010-4252 j-pake issue

Michael Gilbert michael.s.gilbert at gmail.com
Sun Dec 12 22:38:21 UTC 2010


On Sun, Dec 12, 2010 at 5:34 PM, Kurt Roeckx wrote:
> On Sun, Dec 12, 2010 at 04:04:38PM -0500, Michael Gilbert wrote:
>>
>> Hi,
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for openssl.
>>
>> CVE-2010-4252[0]:
>> | OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly
>> | validate the public parameters in the J-PAKE protocol, which allows
>> | remote attackers to bypass the need for knowledge of the shared
>> | secret, and successfully authenticate, by sending crafted values in
>> | each round of the protocol.
>
> I knew about it.
>
>> Note that -DOPENSSL_NO_JPAKE appears to be set currently, so the
>> as-built version isn't affected.
>
> So what's the point of filing this bug?

Like I said to track upstream progress, and to keep a record in case
it does get enabled by default.

> I don't plan to fix a bug that doesn't effect us.

Of course.

Mike





More information about the Pkg-openssl-devel mailing list