[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE needed for libotr's support for OTR v1?
From: Murray McAllister <mmcallis () redhat ! com>
Date: 2014-01-31 3:47:07
Message-ID: 52EB1CBB.8020100 () redhat ! com
[Download RAW message or body]
Hello,
Is a CVE needed for versions of libotr that support OTR v1? Quoting the
Debian bug[1]:
""
as you are surely aware of, it's been known [1] since 2006 that
clients supporting both OTRv1 and v2 (such as libotr 3.x) are subject
to protocol downgrade attacks clients. It's also been known for
a while that OTRv1 has serious security issues (that were the main
reason for a v2, actually). In short, support v2 only is the only safe
way to go these days.
[1] http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.165.7945
""
Ubuntu advisory: http://www.ubuntu.com/usn/usn-2091-1/
Launchpad bug: https://bugs.launchpad.net/ubuntu/+source/libotr/+bug/1266016
Thanks,
--
Murray McAllister / Red Hat Security Response Team
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725779
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic