Bug#436571: marked as done (openssh: CVE-2007-2768 and CVE-2007-2243 (determine the existence of user accounts))

To: Steffen Joeris <steffen.joeris@skolelinux.de>
Subject: Bug#436571: marked as done (openssh: CVE-2007-2768 and CVE-2007-2243 (determine the existence of user accounts))
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 16 Aug 2007 11:00:08 +0000
Message-id: <[🔎] handler.436571.D436571.118726191926617.ackdone@bugs.debian.org>
References: <200708162101.34285.steffen.joeris@skolelinux.de> <[🔎] 20070808092853.15903.1507.reportbug@katha.debian.org>

Your message dated Thu, 16 Aug 2007 21:01:33 +1000
with message-id <200708162101.34285.steffen.joeris@skolelinux.de>
and subject line not an issue
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openssh: CVE-2007-2768 and CVE-2007-2243 (determine the existence of user accounts)
From: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Wed, 08 Aug 2007 19:28:53 +1000
Message-id: <[🔎] 20070808092853.15903.1507.reportbug@katha.debian.org>

Package: openssh
Severity: normal
Tags: security

Hi

There are two CVEs[1][2] issued for openssh. Text below:

OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM,
allows remote attackers to determine the existence of certain user
accounts, which displays a different response if the user account exists
and is configured to use one-time passwords (OTP), a similar issue to
CVE-2007-2243.

OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is
enabled, allows remote attackers to determine the existence of user
accounts by attempting to authenticate via S/KEY, which displays a
different response if the user account exists, a similar issue to
CVE-2001-1483.

Can you please check, if they occur in the current debian packages?
If you should upload a fix, please mention the CVE numbers in the
changelog.
Thanks for your efforts

Cheers
Steffen


[1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2243

[2]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2768

--- End Message ---

--- Begin Message ---

To: 436571-done@bugs.debian.org

Subject: not an issue

From: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Thu, 16 Aug 2007 21:01:33 +1000

Message-id: <200708162101.34285.steffen.joeris@skolelinux.de>
Hi

This is not a security issue atm, therefore, closing this bugreport.

Cheers
Steffen
Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---

Reply to:

References:
- Bug#436571: openssh: CVE-2007-2768 and CVE-2007-2243 (determine the existence of user accounts)
  - From: Steffen Joeris <steffen.joeris@skolelinux.de>

Prev by Date: Processed: tagging 436571
Next by Date: Bug#438433: Stale control sockets cause ssh to fail
Previous by thread: Bug#436571: openssh: CVE-2007-2768 and CVE-2007-2243 (determine the existence of user accounts)
Next by thread: Bug#436571: openssh: CVE-2007-2768 and CVE-2007-2243 (determine the existence of user accounts)
Index(es):
- Date
- Thread