=========================================================== Ubuntu Security Notice USN-34-1 November 30, 2004 openssh information leakage CAN-2003-0190 ===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
openssh-server
The problem can be corrected by upgrading the affected package to version 1:3.8.1p1-11ubuntu3.1. In general, a standard system upgrade is sufficient to effect the necessary changes.
Details follow:
@Mediaservice.net discovered two information leaks in the OpenSSH server. When using password authentication, an attacker could test whether a login name exists by measuring the time between failed login attempts, i. e. the time after which the "password:" prompt appears again.
A similar issue affects systems which do not allow root logins over ssh ("PermitRootLogin no"). By measuring the time between login attempts an attacker could check whether a given root password is correct. This allowed determining weak root passwords using a brute force attack.