Bug#436571: openssh: CVE-2007-2768 and CVE-2007-2243 (determine the existence of user accounts)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#436571: openssh: CVE-2007-2768 and CVE-2007-2243 (determine the existence of user accounts)
From: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Wed, 08 Aug 2007 19:28:53 +1000
Message-id: <[🔎] 20070808092853.15903.1507.reportbug@katha.debian.org>
Reply-to: Steffen Joeris <steffen.joeris@skolelinux.de>, 436571@bugs.debian.org

Package: openssh
Severity: normal
Tags: security

Hi

There are two CVEs[1][2] issued for openssh. Text below:

OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM,
allows remote attackers to determine the existence of certain user
accounts, which displays a different response if the user account exists
and is configured to use one-time passwords (OTP), a similar issue to
CVE-2007-2243.

OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is
enabled, allows remote attackers to determine the existence of user
accounts by attempting to authenticate via S/KEY, which displays a
different response if the user account exists, a similar issue to
CVE-2001-1483.

Can you please check, if they occur in the current debian packages?
If you should upload a fix, please mention the CVE numbers in the
changelog.
Thanks for your efforts

Cheers
Steffen


[1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2243

[2]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2768

Reply to:

Follow-Ups:
- Bug#436571: marked as done (openssh: CVE-2007-2768 and CVE-2007-2243 (determine the existence of user accounts))
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: New PAM in experimental needs testing
Next by Date: Bug#436111: logs
Previous by thread: New PAM in experimental needs testing
Next by thread: Bug#436571: marked as done (openssh: CVE-2007-2768 and CVE-2007-2243 (determine the existence of user accounts))
Index(es):
- Date
- Thread