Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 531
Alerts This Week
Warning Icon 1 531

Arch Linux: ASA-202305-1 Medium: OpenSSH Security Breach

Archlinux Large Esm H446
The package openssh before version 7.3p1-1 is vulnerable to information leakage.
Arch Linux Security Advisory ASA-201608-1
========================================
Severity: Medium
Date    : 2016-08-02
CVE-ID  : CVE-2016-6210
Package : openssh
Type    : information leakage
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package openssh before version 7.3p1-1 is vulnerable to information
leakage.

Resolution
=========
Upgrade to 7.3p1-1.

# pacman -Syu "openssh>=7.3p1-1"

The problem has been fixed upstream in version 7.3p1.

Workaround
=========
None.

Description
==========
Mitigate timing differences in password authentication that could be
used to discern valid from invalid account names when long passwords
were sent and particular password hashing algorithms are in use on the
server. Reported by EddieEzra.Harari at verint.com

Impact
=====
A remote attacker is able to enumerate users by sending large passwords.

References
=========
https://access.redhat.com/security/cve/CVE-2016-6210
https://seclists.org/fulldisclosure/2016/Jul/51
https://www.openssh.org/txt/release-7.3