[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure

From: Michal Jaegermann <michal harddata com>
To: Discussion of the Fedora Legacy Project <fedora-legacy-list redhat com>
Subject: Re: OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
Date: Tue, 7 Dec 2004 08:53:55 -0700

On Tue, Dec 07, 2004 at 09:36:11AM -0500, John Dalbec wrote:
> Does this affect -Legacy?
> 04.48.30 CVE: CAN-2003-0190
> Platform: Cross Platform
> Title: OpenSSH-portable PAM Authentication Remote Information
> Disclosure
......
On the first glance this looks like a problem which has the
following entry in a changelog from openssh-3.1p1-14:

* Thu Jun 05 2003 Nalin Dahyabhai <nalin redhat com> 3.1p1-7

- backport patch to close timing attacks when PAM authentication is
  short-circuited by other checks

At this iime I am not absolutely sure about that.

   Michal

Follow-Ups:
- Re: OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
  - From: Matthew Miller

References:
- OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
  - From: John Dalbec

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]