Your message dated Thu, 16 Aug 2007 21:01:33 +1000 with message-id <200708162101.34285.steffen.joeris@skolelinux.de> and subject line not an issue has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: openssh: CVE-2007-2768 and CVE-2007-2243 (determine the existence of user accounts)
- From: Steffen Joeris <steffen.joeris@skolelinux.de>
- Date: Wed, 08 Aug 2007 19:28:53 +1000
- Message-id: <[🔎] 20070808092853.15903.1507.reportbug@katha.debian.org>
Package: openssh Severity: normal Tags: security Hi There are two CVEs[1][2] issued for openssh. Text below: OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243. OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483. Can you please check, if they occur in the current debian packages? If you should upload a fix, please mention the CVE numbers in the changelog. Thanks for your efforts Cheers Steffen [1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2243 [2]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2768
--- End Message ---
--- Begin Message ---
- To: 436571-done@bugs.debian.org
- Subject: not an issue
- From: Steffen Joeris <steffen.joeris@skolelinux.de>
- Date: Thu, 16 Aug 2007 21:01:33 +1000
- Message-id: <200708162101.34285.steffen.joeris@skolelinux.de>
Hi This is not a security issue atm, therefore, closing this bugreport. Cheers SteffenAttachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---