[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#793616: marked as done (openssh: CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices)

On Fri, Aug 07, 2015 at 11:30:07AM +0000, Debian Bug Tracking System wrote:
>  openssh (1:5.5p1-6+squeeze6) squeeze-lts; urgency=medium
>  .
>    * Non-maintainer upload by the Debian LTS team.
>    * CVE-2015-5352: Reject X11 connections after hard-coded Xauth cookie
>      expiration time of 1200 seconds. (Closes: #790798).
>    * CVE-2015-5600: Only query each keyboard-interactive device once per
>      authentication request regardless of how many times it is listed.
>      (Closes: #793616).

I have not yet looked at the actual patch applied here, but please note
that for versions of OpenSSH earlier than 6.5p1 (thus, squeeze and
wheezy) there is a gotcha: you need the additional patch from
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1485719.  If you
didn't include that then I think you need to issue a follow-up advisory.

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to: