[manjaro-security] [arch-security] [ASA-201608-1] openssh: information leakage
Chris.Rebischke at archlinux.org
Tue Aug 2 14:21:57 CEST 2016
Arch Linux Security Advisory ASA-201608-1
Date : 2016-08-02
CVE-ID : CVE-2016-6210
Package : openssh
Type : information leakage
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package openssh before version 7.3p1-1 is vulnerable to information
Upgrade to 7.3p1-1.
# pacman -Syu "openssh>=7.3p1-1"
The problem has been fixed upstream in version 7.3p1.
Mitigate timing differences in password authentication that could be
used to discern valid from invalid account names when long passwords
were sent and particular password hashing algorithms are in use on the
server. Reported by EddieEzra.Harari at verint.com
A remote attacker is able to enumerate users by sending large passwords.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: not available
More information about the manjaro-security