reopen 606922 thanks > That's correct. It's disabled upstream and we haven't enabled it. I > have no intention of enabling it until upstream say it's OK to do so > (which will probably consist of enabling it by default). > > Here's the upstream commit message: > > - d...@cvs.openbsd.org 2010/09/20 04:50:53 > [jpake.c schnorr.c] > check that received values are smaller than the group size in the > disabled and unfinished J-PAKE code. > avoids catastrophic security failure found by Sebastien Martini > > Michael, thanks for the heads-up, but I don't see any need to spend time > backporting this. Anyone who goes in, enables this against the advice > of upstream, and deploys it on a publicly-visible system deserves what > they get! If you're going to use experimental authentication modes, > then you at least need to use current CVS HEAD. > > I'm closing this bug, and I recommend the security team mark it as "no > fix needed".
I apologize ahead of time for the bts ping pong, but according to the build log (which is where I checked for my original bug report) jpake is indeed built. $ debuild | grep jpake gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-strict-aliasing -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSH_EXTRAVERSION=\"Debian-5\" -I. -I.. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/bin/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -D_PATH_SSH_DATADIR=\"/usr/share/ssh\" -DHAVE_CONFIG_H -c ../jpake.c gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-strict-aliasing -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSH_EXTRAVERSION=\"Debian-5\" -I. -I.. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/bin/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -D_PATH_SSH_DATADIR=\"/usr/share/ssh\" -DHAVE_CONFIG_H -c ../auth2-jpake.c /usr/bin/ar rv libssh.a acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o compat.o compress.o crc32.o deattack.o fatal.o hostfile.o log.o match.o md-sha256.o moduli.o nchan.o packet.o readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o schnorr.o ssh-pkcs11.o kexgssc.o a - jpake.o gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o roaming_common.o roaming_serv.o -L. -Lopenbsd-compat/ -fstack-protector-all -Wl,--as-needed -fPIE -pie -Wl,-z,relro -Wl,-z,now -lssh -lopenbsd-compat -lwrap -lpam -lselinux -lcrypto -ldl -lutil -lz -lnsl -lcrypt -lresolv -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-strict-aliasing -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM="/bin/login" -DLOGIN_NO_ENDOPT -DSSH_EXTRAVERSION="Debian-5" -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-strict-aliasing -fno-builtin-memset -fstack-protector-all -Os -DSSH_EXTRAVERSION=\"Debian-5\" -I. -I.. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/bin/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -D_PATH_SSH_DATADIR=\"/usr/share/ssh\" -DHAVE_CONFIG_H -c ../jpake.c gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-strict-aliasing -fno-builtin-memset -fstack-protector-all -Os -DSSH_EXTRAVERSION=\"Debian-5\" -I. -I.. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/bin/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -D_PATH_SSH_DATADIR=\"/usr/share/ssh\" -DHAVE_CONFIG_H -c ../auth2-jpake.c /usr/bin/ar rv libssh.a acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o compat.o compress.o crc32.o deattack.o fatal.o hostfile.o log.o match.o md-sha256.o moduli.o nchan.o packet.o readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o schnorr.o ssh-pkcs11.o kexgssc.o a - jpake.o gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o roaming_common.o roaming_serv.o -L. -Lopenbsd-compat/ -fstack-protector-all -Wl,--as-needed -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz -lcrypt -lresolv -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
