drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Preisgabe von Informationen in OpenSSH
Name: |
Preisgabe von Informationen in OpenSSH |
|
ID: |
DSA-3626-1 |
|
Distribution: |
Debian |
|
Plattformen: |
Debian sid, Debian jessie |
|
Datum: |
Mo, 25. Juli 2016, 07:43 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210 |
|
Applikationen: |
OpenSSH |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
- ------------------------------------------------------------------------- Debian Security Advisory DSA-3626-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 24, 2016 https://www.debian.org/security/faq - -------------------------------------------------------------------------
Package : openssh CVE ID : CVE-2016-6210 Debian Bug : 831902
Eddie Harari reported that the OpenSSH SSH daemon allows user enumeration through timing differences when trying to authenticate users. When sshd tries to authenticate a non-existing user, it will pick up a fixed fake password structure with a hash based on the Blowfish algorithm. If real users passwords are hashed using SHA256/SHA512, then a remote attacker can take advantage of this flaw by sending large passwords, receiving shorter response times from the server for non-existing users.
For the stable distribution (jessie), this problem has been fixed in version 1:6.7p1-5+deb8u3.
For the unstable distribution (sid), this problem has been fixed in version 1:7.2p2-6.
We recommend that you upgrade your openssh packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBCgAGBQJXlISdAAoJEAVMuPMTQ89E50EP/2IZzNstrspvhIJzWiJ0XJpA GHzRSK0tbMZEfolYBwPQ6Z8G7hWeBnP0sQIsCjuSbmasvjdKgOLDL90ffrsPnb2/ hHnP7SOERXHGSXmgB9/7hWQtjtxS9mDw703H9XI73Rb3DF8aVrPYUGvQb8/hIh4F Cb/TX2rmPTievw+JWAhkwxa5yEwqrl7J2yARtwraeNujoXvOyZpogNcoQ4HkKQtG X+nktjcs6Y8rETTNJzOAeo9HlPRDnxVaHmjN47DXk2IqpyJWYWEOX/rlvAIRKkFH M5xtciU3POVnMqE/CYsqJFmlo0QpQI+LYFTjd6gs0bd3TN71SpV+kg36U+ujG5kk EACgrpWKBnWdUzwYk7Ur2hj95UgXHjQDeZM69WIg9a+OemW9op9ZuYx+umb38+zd bJnMwjvF5uzQGwyM3Nk91EjZYmxKLlv0CO1MCUBaF5Re7b6Ki2wLUmlMmGDGPRS3 Q8NFeRO9ycpFkkqaVvYkiyrTkPquBaH2MG5HUMOnBwMtg4ksTgHxIGWh975EnLTh TealNc9LFwG3YHJw+rqTmm/YAVNJgoFR7J4mu3s381TSBhU28ZhtR9EJq5wls9gd Ughr9rcdp0pv4RNugkWx7IxsB+tt3DXHR6fR1urCg1vu7Sc4tXGTGc+0zl9MVIe6 JAuXfU6yrbxD4t4dBq9D =0fAi -----END PGP SIGNATURE-----
|
|
|
|