OpenSSH 3.9p1-portable PAM Authentication Remote Information Disclosure
Michal Jaegermann
michal at harddata.com
Wed Dec 8 06:24:13 UTC 2004
On Tue, Dec 07, 2004 at 08:03:01PM -0500, Marc Deslauriers wrote:
>
> An attacker could measure the time between rejections with an attack
> tool and determine the root password.
>
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141642
>
> I don't think the changelog entry Michal posted earlier has
> anything to do with this bug, so it should definitely go into
> bugzilla.
>
That indeed looks like a new problem but the quoted Ubuntu
advisory, i.e. http://www.securityfocus.com/advisories/7575,
and apparently a code from the corresponding patch as well
(although here I only looked very quickly and I possibly missed
something), refer specifically to CAN-2003-0190
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190
and this was covered by advisories
http://rhn.redhat.com/errata/RHSA-2003-222.html
http://rhn.redhat.com/errata/RHSA-2003-224.html
Bugzilla entry 141642 is dated 2004-12-02.
Michal
More information about the fedora-legacy-list
mailing list