drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Preisgabe von Informationen in OpenSSH
| Name: |
Preisgabe von Informationen in OpenSSH |
|
| ID: |
DSA-3626-1 |
|
| Distribution: |
Debian |
|
| Plattformen: |
Debian sid, Debian jessie |
|
| Datum: |
Mo, 25. Juli 2016, 07:43 |
|
| Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210 |
|
| Applikationen: |
OpenSSH |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3626-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 24, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : openssh
CVE ID : CVE-2016-6210
Debian Bug : 831902
Eddie Harari reported that the OpenSSH SSH daemon allows user
enumeration through timing differences when trying to authenticate
users. When sshd tries to authenticate a non-existing user, it will pick
up a fixed fake password structure with a hash based on the Blowfish
algorithm. If real users passwords are hashed using SHA256/SHA512, then
a remote attacker can take advantage of this flaw by sending large
passwords, receiving shorter response times from the server for
non-existing users.
For the stable distribution (jessie), this problem has been fixed in
version 1:6.7p1-5+deb8u3.
For the unstable distribution (sid), this problem has been fixed in
version 1:7.2p2-6.
We recommend that you upgrade your openssh packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXlISdAAoJEAVMuPMTQ89E50EP/2IZzNstrspvhIJzWiJ0XJpA
GHzRSK0tbMZEfolYBwPQ6Z8G7hWeBnP0sQIsCjuSbmasvjdKgOLDL90ffrsPnb2/
hHnP7SOERXHGSXmgB9/7hWQtjtxS9mDw703H9XI73Rb3DF8aVrPYUGvQb8/hIh4F
Cb/TX2rmPTievw+JWAhkwxa5yEwqrl7J2yARtwraeNujoXvOyZpogNcoQ4HkKQtG
X+nktjcs6Y8rETTNJzOAeo9HlPRDnxVaHmjN47DXk2IqpyJWYWEOX/rlvAIRKkFH
M5xtciU3POVnMqE/CYsqJFmlo0QpQI+LYFTjd6gs0bd3TN71SpV+kg36U+ujG5kk
EACgrpWKBnWdUzwYk7Ur2hj95UgXHjQDeZM69WIg9a+OemW9op9ZuYx+umb38+zd
bJnMwjvF5uzQGwyM3Nk91EjZYmxKLlv0CO1MCUBaF5Re7b6Ki2wLUmlMmGDGPRS3
Q8NFeRO9ycpFkkqaVvYkiyrTkPquBaH2MG5HUMOnBwMtg4ksTgHxIGWh975EnLTh
TealNc9LFwG3YHJw+rqTmm/YAVNJgoFR7J4mu3s381TSBhU28ZhtR9EJq5wls9gd
Ughr9rcdp0pv4RNugkWx7IxsB+tt3DXHR6fR1urCg1vu7Sc4tXGTGc+0zl9MVIe6
JAuXfU6yrbxD4t4dBq9D
=0fAi
-----END PGP SIGNATURE-----
|
|
|
|
