[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE needed for libotr's support for OTR v1?
From:       Murray McAllister <mmcallis () redhat ! com>
Date:       2014-01-31 3:47:07
Message-ID: 52EB1CBB.8020100 () redhat ! com
[Download RAW message or body]

Hello,

Is a CVE needed for versions of libotr that support OTR v1? Quoting the 
Debian bug[1]:

""
as you are surely aware of, it's been known [1] since 2006 that
clients supporting both OTRv1 and v2 (such as libotr 3.x) are subject
to protocol downgrade attacks clients. It's also been known for
a while that OTRv1 has serious security issues (that were the main
reason for a v2, actually). In short, support v2 only is the only safe
way to go these days.

[1] http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.165.7945
""

Ubuntu advisory: http://www.ubuntu.com/usn/usn-2091-1/
Launchpad bug: https://bugs.launchpad.net/ubuntu/+source/libotr/+bug/1266016

Thanks,

--
Murray McAllister / Red Hat Security Response Team

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725779
[prev in list] [next in list] [prev in thread] [next in thread]