* SECURITY UPDATE: user enumeration via covert timing channel
- debian/patches/CVE-2016-6210-1.patch: determine appropriate salt for
invalid users in auth-passwd.c, openbsd-compat/xcrypt.c.
- debian/patches/CVE-2016-6210-2.patch: mitigate timing of disallowed
users PAM logins in auth-pam.c.
- debian/patches/CVE-2016-6210-3.patch: search users for one with a
valid salt in openbsd-compat/xcrypt.c.
- CVE-2016-6210
* SECURITY UPDATE: denial of service via long passwords
- debian/patches/CVE-2016-6515.patch: skip passwords longer than 1k in
length in auth-passwd.c.
- CVE-2016-6515
-- Marc Deslauriers <email address hidden> Thu, 11 Aug 2016 08:38:27 -0400
This bug was fixed in the package openssh - 1:7.2p2-4ubuntu2.1
--------------- 4ubuntu2. 1) xenial-security; urgency=medium
openssh (1:7.2p2-
* SECURITY UPDATE: user enumeration via covert timing channel patches/ CVE-2016- 6210-1. patch: determine appropriate salt for compat/ xcrypt. c. patches/ CVE-2016- 6210-2. patch: mitigate timing of disallowed patches/ CVE-2016- 6210-3. patch: search users for one with a compat/ xcrypt. c. patches/ CVE-2016- 6515.patch: skip passwords longer than 1k in
- debian/
invalid users in auth-passwd.c, openbsd-
- debian/
users PAM logins in auth-pam.c.
- debian/
valid salt in openbsd-
- CVE-2016-6210
* SECURITY UPDATE: denial of service via long passwords
- debian/
length in auth-passwd.c.
- CVE-2016-6515
-- Marc Deslauriers <email address hidden> Thu, 11 Aug 2016 08:38:27 -0400