[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 288-2] openssh regression update



Package        : openssh
Version        : 1:5.5p1-6+squeeze7
CVE ID         : CVE-2015-5600

In Debian LTS (squeeze), the fix for CVE-2015-5600[1] in openssh
1:5.5p1-6+squeeze7 breaks authentication mechanisms that rely on the
keyboard-interactive method. Thanks to Colin Watson for making aware of
that.

The patch fixing CVE-2015-5600 introduces the field 'devices_done' to the
KbdintAuthctxt struct, but does not initialize the field in the
kbdint_alloc() function. On Linux, this ends up filling that field with
junk data. The result of this are random login failures when
keyboard-interactive authentication is used.

This upload of openssh 1:5.5p1-6+squeeze7 to Debian LTS (squeeze) adds
that initialization of the `devices_done` field alongside the existing
initialization code.

People relying on keyboard-interactive based authentication mechanisms with
OpenSSH on Debian squeeze(-lts) systems are recommended to upgrade
OpenSSH to 1:5.5p1-6+squeeze7.

[1] https://lists.debian.org/debian-lts-announce/2015/08/msg00001.html

-- 

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: signature.asc
Description: Digital signature


Reply to: