CVE-2014-1692
Damien Miller
djm at mindrot.org
Fri Jan 31 07:31:52 EST 2014
On Thu, 30 Jan 2014, mancha wrote:
> <no_spam_98 <at> yahoo.com> writes:
> >
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1692
> >
> > The NIST advisory says that all versions of OpenSSH potentially contain
> > the flaw. But is that really true? For example, I looked at the
> > 3.8.1p1 distribution and didn't find any reference to JPAKE at all.
>
> Hi. The NVD advisory is inaccurate. JPAKE experimental code was
> first introduced in OpenSSH 5.2, iirc.
>
> Also, the advisory should be taken with a grain of salt as the
> vulnerable code is not activated without pro-active user code
> modification.
oh man, that CVE is nuts.
"Exploitability Subscore: 10.0" - it's code that is experimental,
never enabled, never mentioned in release notes, has no configure
option. On top of that, the attacker has to make EVP_Digest* fail
(and I know of no way to do this remotely) as a result.
-d
More information about the openssh-unix-dev
mailing list