Bug#196413: marked as done (ssh: Disclosure of Valid User Account Names to Remote Users)
Your message dated Tue, 17 Jul 2007 01:38:53 +0300
with message-id <20070716223853.GA3248@norsu.vuoristo.local>
and subject line Closing
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ssh: Disclosure of Valid User Account Names to Remote Users
- From: Markus Amersdorfer <markus.amersdorfer@subnet.at>
- Date: Fri, 06 Jun 2003 21:10:30 +0200
- Message-id: <E19OMbe-0001CF-00@aqua.subnet.at>
Package: ssh
Version: 1:3.4p1-1
Severity: grave
Tags: security
Justification: user security hole
http://www.securitytracker.com/alerts/2003/May/1006688.html
CVE Reference: CAN-2003-0190
OpenSSH up to and including version 3.6.1p1 with PAM enabled is
vulnerable to a timing-attack. It enables remote attackers to determine
whether a username is valid on this system or not.
Debian Woody is vulnerable to this.
(For Sid, this bug has been reported (#191681) and marked as "resolved"
already. The solution was to upgrade to 3.6.1p2.)
Cheers,
Markus A.
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux aqua 2.2.25raid-01 #1 Mon Mär 17 20:10:33 CET 2003 i686
Locale: LANG=C, LC_CTYPE=de_AT
Versions of packages ssh depends on:
ii adduser 3.47 Add and remove users and groups
ii debconf 1.0.32 Debian configuration management sy
ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an
ii libpam-modules 0.72-35 Pluggable Authentication Modules f
ii libpam0g 0.72-35 Pluggable Authentication Modules l
ii libssl0.9.6 0.9.6c-2.woody.3 SSL shared libraries
ii libwrap0 7.6-9 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.1.4-1 compression library - runtime
--- End Message ---
--- Begin Message ---
Woody is now unsupported, closing.
--- End Message ---
Reply to: