1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3626-1] openssh security update

    From Salvatore Bonaccorso@1:229/2 to All on Sun Jul 24 11:30:02 2016
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3626-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso
    July 24, 2016 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : openssh
    CVE ID : CVE-2016-6210
    Debian Bug : 831902

    Eddie Harari reported that the OpenSSH SSH daemon allows user
    enumeration through timing differences when trying to authenticate
    users. When sshd tries to authenticate a non-existing user, it will pick
    up a fixed fake password structure with a hash based on the Blowfish
    algorithm. If real users passwords are hashed using SHA256/SHA512, then
    a remote attacker can take advantage of this flaw by sending large
    passwords, receiving shorter response times from the server for
    non-existing users.

    For the stable distribution (jessie), this problem has been fixed in
    version 1:6.7p1-5+deb8u3.

    For the unstable distribution (sid), this problem has been fixed in
    version 1:7.2p2-6.

    We recommend that you upgrade your openssh packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCgAGBQJXlISdAAoJEAVMuPMTQ89E50EP/2IZzNstrspvhIJzWiJ0XJpA GHzRSK0tbMZEfolYBwPQ6Z8G7hWeBnP0sQIsCjuSbmasvjdKgOLDL90ffrsPnb2/ hHnP7SOERXHGSXmgB9/7hWQtjtxS9mDw703H9XI73Rb3DF8aVrPYUGvQb8/hIh4F Cb/TX2rmPTievw+JWAhkwxa5yEwqrl7J2yARtwraeNujoXvOyZpogNcoQ4HkKQtG X+nktjcs6Y8rETTNJzOAeo9HlPRDnxVaHmjN47DXk2IqpyJWYWEOX/rlvAIRKkFH M5xtciU3POVnMqE/CYsqJFmlo0QpQI+LYFTjd6gs0bd3TN71SpV+kg36U+ujG5kk EACgrpWKBnWdUzwYk7Ur2hj95UgXHjQDeZM69WIg9a+OemW9op9ZuYx+umb38+zd bJnMwjvF5uzQGwyM3Nk91EjZYmxKLlv0CO1MCUBaF5Re7b6Ki2wLUmlMmGDGPRS3 Q8NFeRO9ycpFkkqaVvYkiyrTkPquBaH2MG5HUMOnBwMtg4ksTgHxIGWh975EnLTh TealNc9LFwG3YHJw+rqTmm/YAVNJgoFR7J4mu3s381TSBhU28ZhtR9EJq5wls9gd Ughr9rcdp0pv4RNugkWx7IxsB+tt3DXHR6fR1urCg1vu7Sc4tXGTGc+0zl9MVIe6 JAuXfU6yrbxD4t4dBq9D
    =0fAi
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)