ArchLinux: 201608-1: openssh: information leakage
Summary
Mitigate timing differences in password authentication that could be used to discern valid from invalid account names when long passwords were sent and particular password hashing algorithms are in use on the server. Reported by EddieEzra.Harari at verint.com
Resolution
Upgrade to 7.3p1-1.
# pacman -Syu "openssh>=7.3p1-1"
The problem has been fixed upstream in version 7.3p1.
References
https://access.redhat.com/security/cve/CVE-2016-6210 https://seclists.org/fulldisclosure/2016/Jul/51 http://www.openssh.com/txt/release-7.3
Workaround
None.