diff options
Diffstat (limited to 'debian/changelog')
-rw-r--r-- | debian/changelog | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 8e8e9d778..252bc394f 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -144,6 +144,13 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium | |||
144 | reachable by attackers who could compromise the pre-authentication | 144 | reachable by attackers who could compromise the pre-authentication |
145 | process for remote code execution (closes: #795711). Also reported by | 145 | process for remote code execution (closes: #795711). Also reported by |
146 | Moritz Jodeit. | 146 | Moritz Jodeit. |
147 | - CVE-2015-5600: sshd(8): Fix circumvention of MaxAuthTries using | ||
148 | keyboard-interactive authentication (closes: #793616). By specifying | ||
149 | a long, repeating keyboard-interactive "devices" string, an attacker | ||
150 | could request the same authentication method be tried thousands of | ||
151 | times in a single pass. The LoginGraceTime timeout in sshd(8) and any | ||
152 | authentication failure delays implemented by the authentication | ||
153 | mechanism itself were still applied. Found by Kingcope. | ||
147 | * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the | 154 | * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the |
148 | GSSAPI key exchange patch. | 155 | GSSAPI key exchange patch. |
149 | 156 | ||