On Fri, Aug 07, 2015 at 11:30:07AM +0000, Debian Bug Tracking System wrote: > openssh (1:5.5p1-6+squeeze6) squeeze-lts; urgency=medium > . > * Non-maintainer upload by the Debian LTS team. > * CVE-2015-5352: Reject X11 connections after hard-coded Xauth cookie > expiration time of 1200 seconds. (Closes: #790798). > * CVE-2015-5600: Only query each keyboard-interactive device once per > authentication request regardless of how many times it is listed. > (Closes: #793616).
I have not yet looked at the actual patch applied here, but please note that for versions of OpenSSH earlier than 6.5p1 (thus, squeeze and wheezy) there is a gotcha: you need the additional patch from https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1485719. If you didn't include that then I think you need to issue a follow-up advisory. -- Colin Watson [cjwat...@debian.org]
