CVE-2014-1692

Damien Miller djm at mindrot.org
Fri Jan 31 07:31:52 EST 2014


On Thu, 30 Jan 2014, mancha wrote:

> <no_spam_98 <at> yahoo.com> writes:
> > 
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1692
> > 
> > The NIST advisory says that all versions of OpenSSH potentially contain
> > the flaw.  But is that really true?  For example, I looked at the
> > 3.8.1p1 distribution and didn't find any reference to JPAKE at all.
> 
> Hi. The NVD advisory is inaccurate. JPAKE experimental code was
> first introduced in OpenSSH 5.2, iirc.
> 
> Also, the advisory should be taken with a grain of salt as the
> vulnerable code is not activated without pro-active user code
> modification.

oh man, that CVE is nuts.

"Exploitability Subscore: 10.0" - it's code that is experimental,
never enabled, never mentioned in release notes, has no configure
option. On top of that, the attacker has to make EVP_Digest* fail
(and I know of no way to do this remotely) as a result.

-d


More information about the openssh-unix-dev mailing list