CVE-2014-1692

mancha mancha1 at hush.com
Fri Jan 31 05:43:10 EST 2014


<no_spam_98 <at> yahoo.com> writes:
> 
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1692
> 
> The NIST advisory says that all versions of OpenSSH potentially contain
> the flaw.  But is that really true?  For example, I looked at the
> 3.8.1p1 distribution and didn't find any reference to JPAKE at all.

Hi. The NVD advisory is inaccurate. JPAKE experimental code was
first introduced in OpenSSH 5.2, iirc.

Also, the advisory should be taken with a grain of salt as the
vulnerable code is not activated without pro-active user code
modification.

--mancha




More information about the openssh-unix-dev mailing list