Arch Linux: ASA-202305-1 Medium: OpenSSH Security Breach

Arch Linux Security Advisory ASA-201608-1
========================================
Severity: Medium
Date    : 2016-08-02
CVE-ID  : CVE-2016-6210
Package : openssh
Type    : information leakage
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package openssh before version 7.3p1-1 is vulnerable to information
leakage.

Resolution
=========
Upgrade to 7.3p1-1.

# pacman -Syu "openssh>=7.3p1-1"

The problem has been fixed upstream in version 7.3p1.

Workaround
=========
None.

Description
==========
Mitigate timing differences in password authentication that could be
used to discern valid from invalid account names when long passwords
were sent and particular password hashing algorithms are in use on the
server. Reported by EddieEzra.Harari at verint.com

Impact
=====
A remote attacker is able to enumerate users by sending large passwords.

References
=========
https://access.redhat.com/security/cve/CVE-2016-6210
https://seclists.org/fulldisclosure/2016/Jul/51
https://www.openssh.org/txt/release-7.3