Package: ssh Version: 1:3.8.1p1-8.sarge.2 Severity: serious Tags: security CAN-2003-0190 describes a flaw in ssh's password prompt timing which makes it easy for an attacker to determine if a username exists on a machine. I've checked and testing and unstable's versions of ssh are vulnerable. Details and some fixes are in this message: http://marc.theaimsgroup.com/?l=bugtraq&m=105172058404810&w=2 Feel free to downgrade this bug if you don't feel it's a real security problem or not RC. I assume upstream must not, since the problem has not been fixed in over a year. Of course, upstream problably doesn't use ssh in the vulnerable configuration, with pam. -- see shy jo
Attachment:
signature.asc
Description: Digital signature