[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure

From: Michal Jaegermann <michal harddata com>
To: Discussion of the Fedora Legacy Project <fedora-legacy-list redhat com>
Subject: Re: OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
Date: Tue, 7 Dec 2004 23:24:13 -0700

On Tue, Dec 07, 2004 at 08:03:01PM -0500, Marc Deslauriers wrote:
> 
> An attacker could measure the time between rejections with an attack 
> tool and determine the root password.
> 
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141642
> 
> I don't think the changelog entry Michal posted earlier has
> anything to do with this bug, so it should definitely go into
> bugzilla.
> 

That indeed looks like a new problem but the quoted Ubuntu
advisory, i.e.  http://www.securityfocus.com/advisories/7575,
and apparently a code from the corresponding patch as well
(although here I only looked very quickly and I possibly missed
something), refer specifically to CAN-2003-0190
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190
and this was covered by advisories
http://rhn.redhat.com/errata/RHSA-2003-222.html
http://rhn.redhat.com/errata/RHSA-2003-224.html

Bugzilla entry 141642 is dated 2004-12-02.

   Michal

References:
- OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
  - From: John Dalbec
- Re: OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
  - From: Michal Jaegermann
- Re: OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
  - From: Matthew Miller
- Re: OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
  - From: Marcus Lauer
- Re: OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
  - From: Marc Deslauriers

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]