summaryrefslogtreecommitdiff
path: root/debian/changelog
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2015-08-19 18:44:47 +0100
committerColin Watson <cjwatson@debian.org>2015-08-19 18:45:49 +0100
commit6461fa1951314cf8c8ee9a7999f987b8003f4ff6 (patch)
treebcbcccfa77e1754cbc711f42b67f3c5a4105bc28 /debian/changelog
parentd2d9171e73cd2db10fabf9dd4924d3dcd5f13c7a (diff)
parentba9e0b1d4edf5876b289affd9d31bab493f0d0a4 (diff)
CVE-2015-5600: sshd(8): Fix circumvention of MaxAuthTries using keyboard-interactive authentication (closes: #793616).
Diffstat (limited to 'debian/changelog')
-rw-r--r--debian/changelog7
1 files changed, 7 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 8e8e9d778..252bc394f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -144,6 +144,13 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium
144 reachable by attackers who could compromise the pre-authentication 144 reachable by attackers who could compromise the pre-authentication
145 process for remote code execution (closes: #795711). Also reported by 145 process for remote code execution (closes: #795711). Also reported by
146 Moritz Jodeit. 146 Moritz Jodeit.
147 - CVE-2015-5600: sshd(8): Fix circumvention of MaxAuthTries using
148 keyboard-interactive authentication (closes: #793616). By specifying
149 a long, repeating keyboard-interactive "devices" string, an attacker
150 could request the same authentication method be tried thousands of
151 times in a single pass. The LoginGraceTime timeout in sshd(8) and any
152 authentication failure delays implemented by the authentication
153 mechanism itself were still applied. Found by Kingcope.
147 * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the 154 * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the
148 GSSAPI key exchange patch. 155 GSSAPI key exchange patch.
149 156