On Thu, 30 Jan 2014, mancha wrote: > <no_spam_98 <at> yahoo.com> writes: > > > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1692 > > > > The NIST advisory says that all versions of OpenSSH potentially contain > > the flaw. But is that really true? For example, I looked at the > > 3.8.1p1 distribution and didn't find any reference to JPAKE at all. > > Hi. The NVD advisory is inaccurate. JPAKE experimental code was > first introduced in OpenSSH 5.2, iirc. > > Also, the advisory should be taken with a grain of salt as the > vulnerable code is not activated without pro-active user code > modification. oh man, that CVE is nuts. "Exploitability Subscore: 10.0" - it's code that is experimental, never enabled, never mentioned in release notes, has no configure option. On top of that, the attacker has to make EVP_Digest* fail (and I know of no way to do this remotely) as a result. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
