<no_spam_98 <at> yahoo.com> writes: > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1692 > > The NIST advisory says that all versions of OpenSSH potentially contain > the flaw. But is that really true? For example, I looked at the > 3.8.1p1 distribution and didn't find any reference to JPAKE at all. Hi. The NVD advisory is inaccurate. JPAKE experimental code was first introduced in OpenSSH 5.2, iirc. Also, the advisory should be taken with a grain of salt as the vulnerable code is not activated without pro-active user code modification. --mancha _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev