Feature #5992

Better Pidgin OTR security

Added by Tails 9 months ago. Updated 2 months ago.

Status:ResolvedStart date:09/30/2013
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:-
Target version:Tails_1.1
QA Check: Blueprint:
Feature Branch: Easy:No
Type of work:Code

Description

We need to only allow OTR protocol v2 and later, to circumvent the protocol version negotiation attack described in Finite-State Security Analysis of OTR Version 2 ... until the protocol + libotr themselves are fixed.

This is fixed in 4.0.0 beta 1 (commit 7ffba65f).

Let's wait for Tails to be based on Wheezy, as the bug will fixed through a Wheezy point-release in libotr 3.2.1-1+deb7u1 (Debian bug 725779).


Subtasks

Feature #6328: Backport libotr 4.x for WheezyRejected

Feature #6329: Backport pidgin-otr 4.x for WheezyRejected

Feature #6548: Wait for libotr 3.2.1-1+deb7u1 to reach WheezyResolvedintrigeri

History

#1 Updated by intrigeri 9 months ago

  • Subject changed from better pidgin otr security to better Pidgin OTR security
  • Type of work changed from Wait to Code

#2 Updated by intrigeri 8 months ago

  • Easy set to No

#3 Updated by intrigeri 4 months ago

  • Subject changed from better Pidgin OTR security to Better Pidgin OTR security

#4 Updated by intrigeri 4 months ago

  • Assignee set to intrigeri

#5 Updated by intrigeri 2 months ago

  • Status changed from Confirmed to Fix committed

Now resolved in our feature/wheezy branch.

#6 Updated by intrigeri 2 months ago

  • Assignee deleted (intrigeri)
  • Target version set to Tails_1.1

#7 Updated by intrigeri 2 months ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF