Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [SECURITY] [DSA 3626-1] openssh security update

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [SECURITY] [DSA 3626-1] openssh security update


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: Salvatore Bonaccorso <carnil AT debian.org>
  • To: debian-security-announce AT lists.debian.org
  • Subject: [IT-SecNots] [SECURITY] [DSA 3626-1] openssh security update
  • Date: Sun, 24 Jul 2016 09:19:18 +0000
  • List-archive: https://lists.debian.org/msgid-search/E1bRFZ8-0005Ep-I6 AT master.debian.org
  • List-id: <debian-security-announce.lists.debian.org>
  • List-url: <http://lists.debian.org/debian-security-announce/>
  • Old-return-path: <carnil AT master.debian.org>
  • Priority: urgent
  • Resent-date: Sun, 24 Jul 2016 09:19:36 +0000 (UTC)
  • Resent-from: debian-security-announce AT lists.debian.org
  • Resent-message-id: <DEpFAw4fIYN.A.Oj.ogIlXB@bendel>
  • Resent-sender: debian-security-announce-request AT lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3626-1 security AT debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 24, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssh
CVE ID : CVE-2016-6210
Debian Bug : 831902

Eddie Harari reported that the OpenSSH SSH daemon allows user
enumeration through timing differences when trying to authenticate
users. When sshd tries to authenticate a non-existing user, it will pick
up a fixed fake password structure with a hash based on the Blowfish
algorithm. If real users passwords are hashed using SHA256/SHA512, then
a remote attacker can take advantage of this flaw by sending large
passwords, receiving shorter response times from the server for
non-existing users.

For the stable distribution (jessie), this problem has been fixed in
version 1:6.7p1-5+deb8u3.

For the unstable distribution (sid), this problem has been fixed in
version 1:7.2p2-6.

We recommend that you upgrade your openssh packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce AT lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXlISdAAoJEAVMuPMTQ89E50EP/2IZzNstrspvhIJzWiJ0XJpA
GHzRSK0tbMZEfolYBwPQ6Z8G7hWeBnP0sQIsCjuSbmasvjdKgOLDL90ffrsPnb2/
hHnP7SOERXHGSXmgB9/7hWQtjtxS9mDw703H9XI73Rb3DF8aVrPYUGvQb8/hIh4F
Cb/TX2rmPTievw+JWAhkwxa5yEwqrl7J2yARtwraeNujoXvOyZpogNcoQ4HkKQtG
X+nktjcs6Y8rETTNJzOAeo9HlPRDnxVaHmjN47DXk2IqpyJWYWEOX/rlvAIRKkFH
M5xtciU3POVnMqE/CYsqJFmlo0QpQI+LYFTjd6gs0bd3TN71SpV+kg36U+ujG5kk
EACgrpWKBnWdUzwYk7Ur2hj95UgXHjQDeZM69WIg9a+OemW9op9ZuYx+umb38+zd
bJnMwjvF5uzQGwyM3Nk91EjZYmxKLlv0CO1MCUBaF5Re7b6Ki2wLUmlMmGDGPRS3
Q8NFeRO9ycpFkkqaVvYkiyrTkPquBaH2MG5HUMOnBwMtg4ksTgHxIGWh975EnLTh
TealNc9LFwG3YHJw+rqTmm/YAVNJgoFR7J4mu3s381TSBhU28ZhtR9EJq5wls9gd
Ughr9rcdp0pv4RNugkWx7IxsB+tt3DXHR6fR1urCg1vu7Sc4tXGTGc+0zl9MVIe6
JAuXfU6yrbxD4t4dBq9D
=0fAi
-----END PGP SIGNATURE-----


  • [IT-SecNots] [SECURITY] [DSA 3626-1] openssh security update, Salvatore Bonaccorso, 24.07.2016

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang