Bug#793616: marked as done (openssh: CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices)
On Fri, Aug 07, 2015 at 11:30:07AM +0000, Debian Bug Tracking System wrote:
> openssh (1:5.5p1-6+squeeze6) squeeze-lts; urgency=medium
> .
> * Non-maintainer upload by the Debian LTS team.
> * CVE-2015-5352: Reject X11 connections after hard-coded Xauth cookie
> expiration time of 1200 seconds. (Closes: #790798).
> * CVE-2015-5600: Only query each keyboard-interactive device once per
> authentication request regardless of how many times it is listed.
> (Closes: #793616).
I have not yet looked at the actual patch applied here, but please note
that for versions of OpenSSH earlier than 6.5p1 (thus, squeeze and
wheezy) there is a gotcha: you need the additional patch from
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1485719. If you
didn't include that then I think you need to issue a follow-up advisory.
--
Colin Watson [cjwatson@debian.org]
Reply to: