Bug#196413: marked as done (ssh: Disclosure of Valid User Account Names to Remote Users)

To: Touko Korpela <tkorpela@phnet.fi>
Subject: Bug#196413: marked as done (ssh: Disclosure of Valid User Account Names to Remote Users)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 16 Jul 2007 22:42:02 +0000
Message-id: <[🔎] handler.196413.D196413.118462553529635.ackdone@bugs.debian.org>
References: <20070716223853.GA3248@norsu.vuoristo.local> <E19OMbe-0001CF-00@aqua.subnet.at>

Your message dated Tue, 17 Jul 2007 01:38:53 +0300
with message-id <20070716223853.GA3248@norsu.vuoristo.local>
and subject line Closing
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ssh: Disclosure of Valid User Account Names to Remote Users
From: Markus Amersdorfer <markus.amersdorfer@subnet.at>
Date: Fri, 06 Jun 2003 21:10:30 +0200
Message-id: <E19OMbe-0001CF-00@aqua.subnet.at>

Package: ssh
Version: 1:3.4p1-1
Severity: grave
Tags: security
Justification: user security hole

http://www.securitytracker.com/alerts/2003/May/1006688.html
CVE Reference: CAN-2003-0190

OpenSSH up to and including version 3.6.1p1 with PAM enabled is
vulnerable to a timing-attack. It enables remote attackers to determine
whether a username is valid on this system or not.

Debian Woody is vulnerable to this.

(For Sid, this bug has been reported (#191681) and marked as "resolved"
already. The solution was to upgrade to 3.6.1p2.)

Cheers,
Markus A.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux aqua 2.2.25raid-01 #1 Mon Mär 17 20:10:33 CET 2003 i686
Locale: LANG=C, LC_CTYPE=de_AT

Versions of packages ssh depends on:
ii  adduser                 3.47             Add and remove users and groups
ii  debconf                 1.0.32           Debian configuration management sy
ii  libc6                   2.2.5-11.5       GNU C Library: Shared libraries an
ii  libpam-modules          0.72-35          Pluggable Authentication Modules f
ii  libpam0g                0.72-35          Pluggable Authentication Modules l
ii  libssl0.9.6             0.9.6c-2.woody.3 SSL shared libraries
ii  libwrap0                7.6-9            Wietse Venema's TCP wrappers libra
ii  zlib1g                  1:1.1.4-1        compression library - runtime

--- End Message ---

--- Begin Message ---

To: 196413-done@bugs.debian.org

Subject: Closing

From: Touko Korpela <tkorpela@phnet.fi>

Date: Tue, 17 Jul 2007 01:38:53 +0300

Message-id: <20070716223853.GA3248@norsu.vuoristo.local>
Woody is now unsupported, closing.
--- End Message ---

Reply to:

Prev by Date: openssh 1:4.6p1-4 MIGRATED to testing
Next by Date: Bug#140963: Updated Patch
Previous by thread: openssh 1:4.6p1-4 MIGRATED to testing
Next by thread: Bug#140963: Updated Patch
Index(es):
- Date
- Thread