Bug#281595: marked as done (timing attack allows attacker to determine valid usernames)
Your message dated Sun, 28 Nov 2004 09:32:17 -0500
with message-id <E1CYQ65-0000KB-00@newraff.debian.org>
and subject line Bug#281595: fixed in openssh 1:3.8.1p1-8.sarge.4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Nov 2004 20:09:43 +0000
>From joey@kitenet.net Tue Nov 16 12:09:43 2004
Return-path: <joey@kitenet.net>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CU9e3-00054F-00; Tue, 16 Nov 2004 12:09:43 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.144])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 2DE7117FE4
for <submit@bugs.debian.org>; Tue, 16 Nov 2004 20:09:41 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id 3077E6E19C; Tue, 16 Nov 2004 15:11:07 -0500 (EST)
Date: Tue, 16 Nov 2004 15:11:07 -0500
From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: timing attack allows attacker to determine valid usernames
Message-ID: <[🔎] 20041116201107.GA814@kitenet.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb"
Content-Disposition: inline
X-Reportbug-Version: 3.2
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--VS++wcV0S1rZb1Fb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: ssh
Version: 1:3.8.1p1-8.sarge.2
Severity: serious
Tags: security
CAN-2003-0190 describes a flaw in ssh's password prompt timing which
makes it easy for an attacker to determine if a username exists on a
machine. I've checked and testing and unstable's versions of ssh are
vulnerable. Details and some fixes are in this message:
http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D105172058404810&w=3D2
Feel free to downgrade this bug if you don't feel it's a real security
problem or not RC. I assume upstream must not, since the problem has not
been fixed in over a year. Of course, upstream problably doesn't use ssh
in the vulnerable configuration, with pam.
--=20
see shy jo
--VS++wcV0S1rZb1Fb
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBml7bd8HHehbQuO8RAhQdAJ9vX7qqeX/o1omjdtICaEq9lwXhiACfaNou
1vS3O884o0cblm2Er0ryN/o=
=U6Mq
-----END PGP SIGNATURE-----
--VS++wcV0S1rZb1Fb--
---------------------------------------
Received: (at 281595-close) by bugs.debian.org; 28 Nov 2004 14:39:45 +0000
>From katie@ftp-master.debian.org Sun Nov 28 06:39:45 2004
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CYQDJ-0005K5-00; Sun, 28 Nov 2004 06:39:45 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1CYQ65-0000KB-00; Sun, 28 Nov 2004 09:32:17 -0500
From: Colin Watson <cjwatson@debian.org>
To: 281595-close@bugs.debian.org
X-Katie: $Revision: 1.54 $
Subject: Bug#281595: fixed in openssh 1:3.8.1p1-8.sarge.4
Message-Id: <E1CYQ65-0000KB-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sun, 28 Nov 2004 09:32:17 -0500
Delivered-To: 281595-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Source: openssh
Source-Version: 1:3.8.1p1-8.sarge.4
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
to pool/main/o/openssh/openssh-client-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
openssh-server-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
to pool/main/o/openssh/openssh-server-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
openssh_3.8.1p1-8.sarge.4.diff.gz
to pool/main/o/openssh/openssh_3.8.1p1-8.sarge.4.diff.gz
openssh_3.8.1p1-8.sarge.4.dsc
to pool/main/o/openssh/openssh_3.8.1p1-8.sarge.4.dsc
ssh-askpass-gnome_3.8.1p1-8.sarge.4_powerpc.deb
to pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-8.sarge.4_powerpc.deb
ssh_3.8.1p1-8.sarge.4_powerpc.deb
to pool/main/o/openssh/ssh_3.8.1p1-8.sarge.4_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 281595@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 28 Nov 2004 12:37:16 +0000
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server-udeb
Architecture: source powerpc
Version: 1:3.8.1p1-8.sarge.4
Distribution: unstable
Urgency: high
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client-udeb - Secure shell client for the Debian installer (udeb)
openssh-server-udeb - Secure shell server for the Debian installer (udeb)
ssh - Secure rlogin/rsh/rcp replacement (OpenSSH)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 248747 281595
Changes:
openssh (1:3.8.1p1-8.sarge.4) unstable; urgency=high
.
* Fix timing information leak allowing discovery of invalid usernames in
PAM keyboard-interactive authentication (backported from a patch by
Darren Tucker; closes: #281595).
* Make sure that there's a delay in PAM keyboard-interactive
authentication when PermitRootLogin is not set to yes and the correct
root password is entered (closes: #248747).
Files:
8ad7931d85460ac1f9a2971e708d1d65 906 net standard openssh_3.8.1p1-8.sarge.4.dsc
187b8455948c188c97c3bfba92120e51 155885 net standard openssh_3.8.1p1-8.sarge.4.diff.gz
ef7b58119f1f6d1bc0efd10412df2235 737276 net standard ssh_3.8.1p1-8.sarge.4_powerpc.deb
70e71d02d5370a22da119f47b492a4dc 52728 gnome optional ssh-askpass-gnome_3.8.1p1-8.sarge.4_powerpc.deb
cb5fd04403ea907c8be066b620ed906a 151080 debian-installer optional openssh-client-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
9cd11fbcd1bcf3e2c06b78721a727dea 160092 debian-installer optional openssh-server-udeb_3.8.1p1-8.sarge.4_powerpc.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iD8DBQFBqcvH9t0zAhD6TNERAv1CAJ9n9yy/P8zhf4kp7WoY99Rfuo9osgCdFneL
0RmN8Hcxkw5sO8WJ0u8AJ40=
=zOT0
-----END PGP SIGNATURE-----
Reply to: