summaryrefslogtreecommitdiff
path: root/debian/patches/CVE-2016-6210-3.patch
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@zip.com.au>2016-07-15 13:49:44 +1000
committerColin Watson <cjwatson@debian.org>2016-07-22 13:59:49 +0100
commitdde63f7f998ac3812a26bbb2c1b2947f24fcd060 (patch)
treebe4b41e362d31150cc84039aa6150ccb637d8107 /debian/patches/CVE-2016-6210-3.patch
parente5ef9d3942cebda819a6fd81647b51c8d87d23df (diff)
Mitigate timing of disallowed users PAM logins.
When sshd decides to not allow a login (eg PermitRootLogin=no) and it's using PAM, it sends a fake password to PAM so that the timing for the failure is not noticeably different whether or not the password is correct. This behaviour can be detected by sending a very long password string which is slower to hash than the fake password. Mitigate by constructing an invalid password that is the same length as the one from the client and thus takes the same time to hash. Diff from djm@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=283b97ff33ea2c641161950849931bd578de6946 Bug-Debian: https://bugs.debian.org/831902 Last-Update: 2016-07-22 Patch-Name: CVE-2016-6210-2.patch
Diffstat (limited to 'debian/patches/CVE-2016-6210-3.patch')
0 files changed, 0 insertions, 0 deletions