Debian Bug report logs -
#436571
openssh: CVE-2007-2768 and CVE-2007-2243 (determine the existence of user accounts)
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
:
Bug#436571
; Package openssh
.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>
:
New Bug report received and forwarded. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openssh
Severity: normal
Tags: security
Hi
There are two CVEs[1][2] issued for openssh. Text below:
OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM,
allows remote attackers to determine the existence of certain user
accounts, which displays a different response if the user account exists
and is configured to use one-time passwords (OTP), a similar issue to
CVE-2007-2243.
OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is
enabled, allows remote attackers to determine the existence of user
accounts by attempting to authenticate via S/KEY, which displays a
different response if the user account exists, a similar issue to
CVE-2001-1483.
Can you please check, if they occur in the current debian packages?
If you should upload a fix, please mention the CVE numbers in the
changelog.
Thanks for your efforts
Cheers
Steffen
[1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2243
[2]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2768
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
:
Bug#436571
; Package openssh
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
.
(full text, mbox, link).
Message #10 received at 436571@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
please see: http://bugs.debian.org/112279
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Tags removed: security
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Tue, 14 Aug 2007 21:33:08 GMT) (full text, mbox, link).
Reply sent to Steffen Joeris <steffen.joeris@skolelinux.de>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 436571-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
This is not a security issue atm, therefore, closing this bugreport.
Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 14 Sep 2007 07:28:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:36:32 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.