[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Please review openssh/1:3.8.1p1-8.sarge.4

openssh (1:3.8.1p1-8.sarge.4) unstable; urgency=high

  * Fix timing information leak allowing discovery of invalid usernames in
    PAM keyboard-interactive authentication (backported from a patch by
    Darren Tucker; closes: #281595).
  * Make sure that there's a delay in PAM keyboard-interactive
    authentication when PermitRootLogin is not set to yes and the correct
    root password is entered (closes: #248747).

 -- Colin Watson <cjwatson@debian.org>  Sun, 28 Nov 2004 12:37:16 +0000

This doesn't seem to have introduced any new regressions, and I consider
the two information leaks to be security issues.

I'm still rather concerned about #283703, but that's a separate issue
which I haven't yet had time to look into in any detail. We may later
need to rebuild openssh against the current openssl, assuming that it
reaches sarge.

Colin Watson                                       [cjwatson@debian.org]

Reply to: