diff options
author | Colin Watson <cjwatson@debian.org> | 2015-08-19 18:44:47 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2015-08-19 18:45:49 +0100 |
commit | 6461fa1951314cf8c8ee9a7999f987b8003f4ff6 (patch) | |
tree | bcbcccfa77e1754cbc711f42b67f3c5a4105bc28 /debian/changelog | |
parent | d2d9171e73cd2db10fabf9dd4924d3dcd5f13c7a (diff) | |
parent | ba9e0b1d4edf5876b289affd9d31bab493f0d0a4 (diff) |
CVE-2015-5600: sshd(8): Fix circumvention of MaxAuthTries using keyboard-interactive authentication (closes: #793616).
Diffstat (limited to 'debian/changelog')
-rw-r--r-- | debian/changelog | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 8e8e9d778..252bc394f 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -144,6 +144,13 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium | |||
144 | reachable by attackers who could compromise the pre-authentication | 144 | reachable by attackers who could compromise the pre-authentication |
145 | process for remote code execution (closes: #795711). Also reported by | 145 | process for remote code execution (closes: #795711). Also reported by |
146 | Moritz Jodeit. | 146 | Moritz Jodeit. |
147 | - CVE-2015-5600: sshd(8): Fix circumvention of MaxAuthTries using | ||
148 | keyboard-interactive authentication (closes: #793616). By specifying | ||
149 | a long, repeating keyboard-interactive "devices" string, an attacker | ||
150 | could request the same authentication method be tried thousands of | ||
151 | times in a single pass. The LoginGraceTime timeout in sshd(8) and any | ||
152 | authentication failure delays implemented by the authentication | ||
153 | mechanism itself were still applied. Found by Kingcope. | ||
147 | * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the | 154 | * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the |
148 | GSSAPI key exchange patch. | 155 | GSSAPI key exchange patch. |
149 | 156 | ||