diff options
Diffstat (limited to 'debian/changelog')
| -rw-r--r-- | debian/changelog | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 8e8e9d778..252bc394f 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -144,6 +144,13 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium | |||
| 144 | reachable by attackers who could compromise the pre-authentication | 144 | reachable by attackers who could compromise the pre-authentication |
| 145 | process for remote code execution (closes: #795711). Also reported by | 145 | process for remote code execution (closes: #795711). Also reported by |
| 146 | Moritz Jodeit. | 146 | Moritz Jodeit. |
| 147 | - CVE-2015-5600: sshd(8): Fix circumvention of MaxAuthTries using | ||
| 148 | keyboard-interactive authentication (closes: #793616). By specifying | ||
| 149 | a long, repeating keyboard-interactive "devices" string, an attacker | ||
| 150 | could request the same authentication method be tried thousands of | ||
| 151 | times in a single pass. The LoginGraceTime timeout in sshd(8) and any | ||
| 152 | authentication failure delays implemented by the authentication | ||
| 153 | mechanism itself were still applied. Found by Kingcope. | ||
| 147 | * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the | 154 | * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the |
| 148 | GSSAPI key exchange patch. | 155 | GSSAPI key exchange patch. |
| 149 | 156 | ||