Re: Bug#793616: marked as done (openssh: CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices)
On Thu Aug 20 00:50:02 2015 Colin Watson <email@example.com> wrote:
> On Fri, Aug 07, 2015 at 11:30:07AM +0000, Debian Bug Tracking System
> > openssh (1:5.5p1-6+squeeze6) squeeze-lts; urgency=medium
> > .
> > * Non-maintainer upload by the Debian LTS team.
> > * CVE-2015-5352: Reject X11 connections after hard-coded Xauth cookie
> > expiration time of 1200 seconds. (Closes: #790798).
> > * CVE-2015-5600: Only query each keyboard-interactive device once per
> > authentication request regardless of how many times it is listed.
> > (Closes: #793616).
> I have not yet looked at the actual patch applied here, but please note
> that for versions of OpenSSH earlier than 6.5p1 (thus, squeeze and
> wheezy) there is a gotcha: you need the additional patch from
> https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1485719. ; If you
> didn't include that then I think you need to issue a follow-up advisory.
> Colin Watson
Thanks for feedback, I put the above on my radar and will check and follow-up when I have returned from VAC.
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976148
GnuPG Key ID 0x25771B13
mail: firstname.lastname@example.org, http://das-netzwerkteam.de