Bug#436571: openssh: CVE-2007-2768 and CVE-2007-2243 (determine the existence of user accounts)
Package: openssh
Severity: normal
Tags: security
Hi
There are two CVEs[1][2] issued for openssh. Text below:
OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM,
allows remote attackers to determine the existence of certain user
accounts, which displays a different response if the user account exists
and is configured to use one-time passwords (OTP), a similar issue to
CVE-2007-2243.
OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is
enabled, allows remote attackers to determine the existence of user
accounts by attempting to authenticate via S/KEY, which displays a
different response if the user account exists, a similar issue to
CVE-2001-1483.
Can you please check, if they occur in the current debian packages?
If you should upload a fix, please mention the CVE numbers in the
changelog.
Thanks for your efforts
Cheers
Steffen
[1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2243
[2]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2768
Reply to: