You are here
Home > Preporuke > Sigurnosni nedostatak programskog paketa openssh

Sigurnosni nedostatak programskog paketa openssh

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

– ————————————————————————-
Debian Security Advisory DSA-3626-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 24, 2016 https://www.debian.org/security/faq
– ————————————————————————-

Package : openssh
CVE ID : CVE-2016-6210
Debian Bug : 831902

Eddie Harari reported that the OpenSSH SSH daemon allows user
enumeration through timing differences when trying to authenticate
users. When sshd tries to authenticate a non-existing user, it will pick
up a fixed fake password structure with a hash based on the Blowfish
algorithm. If real users passwords are hashed using SHA256/SHA512, then
a remote attacker can take advantage of this flaw by sending large
passwords, receiving shorter response times from the server for
non-existing users.

For the stable distribution (jessie), this problem has been fixed in
version 1:6.7p1-5+deb8u3.

For the unstable distribution (sid), this problem has been fixed in
version 1:7.2p2-6.

We recommend that you upgrade your openssh packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIcBAEBCgAGBQJXlISdAAoJEAVMuPMTQ89E50EP/2IZzNstrspvhIJzWiJ0XJpA
GHzRSK0tbMZEfolYBwPQ6Z8G7hWeBnP0sQIsCjuSbmasvjdKgOLDL90ffrsPnb2/
hHnP7SOERXHGSXmgB9/7hWQtjtxS9mDw703H9XI73Rb3DF8aVrPYUGvQb8/hIh4F
Cb/TX2rmPTievw+JWAhkwxa5yEwqrl7J2yARtwraeNujoXvOyZpogNcoQ4HkKQtG
X+nktjcs6Y8rETTNJzOAeo9HlPRDnxVaHmjN47DXk2IqpyJWYWEOX/rlvAIRKkFH
M5xtciU3POVnMqE/CYsqJFmlo0QpQI+LYFTjd6gs0bd3TN71SpV+kg36U+ujG5kk
EACgrpWKBnWdUzwYk7Ur2hj95UgXHjQDeZM69WIg9a+OemW9op9ZuYx+umb38+zd
bJnMwjvF5uzQGwyM3Nk91EjZYmxKLlv0CO1MCUBaF5Re7b6Ki2wLUmlMmGDGPRS3
Q8NFeRO9ycpFkkqaVvYkiyrTkPquBaH2MG5HUMOnBwMtg4ksTgHxIGWh975EnLTh
TealNc9LFwG3YHJw+rqTmm/YAVNJgoFR7J4mu3s381TSBhU28ZhtR9EJq5wls9gd
Ughr9rcdp0pv4RNugkWx7IxsB+tt3DXHR6fR1urCg1vu7Sc4tXGTGc+0zl9MVIe6
JAuXfU6yrbxD4t4dBq9D
=0fAi
—–END PGP SIGNATURE—–

Top
More in Preporuke
Sigurnosni nedostatak programskog paketa mingw-gnutls

Otkriven je sigurnosni nedostatak u programskom paketu mingw-gnutls za Fedoru. Otkriveni nedostatak pogađa provjeru certifikata kada se GnuTLS koristi u...

Close