[manjaro-security] [arch-security] [ASA-201608-1] openssh: information leakage
Christian Rebischke
Chris.Rebischke at archlinux.org
Tue Aug 2 14:21:57 CEST 2016
Arch Linux Security Advisory ASA-201608-1
=========================================
Severity: Medium
Date : 2016-08-02
CVE-ID : CVE-2016-6210
Package : openssh
Type : information leakage
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package openssh before version 7.3p1-1 is vulnerable to information
leakage.
Resolution
==========
Upgrade to 7.3p1-1.
# pacman -Syu "openssh>=7.3p1-1"
The problem has been fixed upstream in version 7.3p1.
Workaround
==========
None.
Description
===========
Mitigate timing differences in password authentication that could be
used to discern valid from invalid account names when long passwords
were sent and particular password hashing algorithms are in use on the
server. Reported by EddieEzra.Harari at verint.com
Impact
======
A remote attacker is able to enumerate users by sending large passwords.
References
==========
https://access.redhat.com/security/cve/CVE-2016-6210
http://seclists.org/fulldisclosure/2016/Jul/51
http://www.openssh.com/txt/release-7.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20160802/4e576093/attachment.pgp>
More information about the manjaro-security
mailing list