[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#793616: marked as done (openssh: CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices)

Hi Colin,

On Thu Aug 20 00:50:02 2015 Colin Watson <cjwatson@debian.org> wrote:
> On Fri, Aug 07, 2015 at 11:30:07AM +0000, Debian Bug Tracking System
> wrote:
> > openssh (1:5.5p1-6+squeeze6) squeeze-lts; urgency=medium
> > .
> > * Non-maintainer upload by the Debian LTS team.
> > * CVE-2015-5352: Reject X11 connections after hard-coded Xauth cookie
> > expiration time of 1200 seconds. (Closes: #790798).
> > * CVE-2015-5600: Only query each keyboard-interactive device once per
> > authentication request regardless of how many times it is listed.
> > (Closes: #793616).
> 
> I have not yet looked at the actual patch applied here, but please note
> that for versions of OpenSSH earlier than 6.5p1 (thus, squeeze and
> wheezy) there is a gotcha: you need the additional patch from
> https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1485719. ;  If you
> didn't include that then I think you need to issue a follow-up advisory.
> 
> -- 
> Colin Watson                                      

Thanks for feedback, I put the above on my radar and will check and follow-up when I have returned from VAC.

Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976148

GnuPG Key ID 0x25771B13
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Reply to: