On Sun, Jul 05, 2009 at 08:35:15PM +0200, Florian Weimer wrote:
> Package: libpam-ssh
> Tags: security
>
> A user enumeration issue has been disclosed in libpam-ssh:
>
> | pam_ssh 1.92 and possibly other versions, as used when PAM is
> | compiled with USE=ssh, generates different error messages depending
> | on whether the username is valid or invalid, which makes it easier
> | for remote attackers to enumerate usernames.
>
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1273>
>
> The Gentoo bug report linked from there contains a patch.
>
> This should probably be uploaded to (old)stable-proposed-updates,
> combined with the fix for CVE-2007-0844.
Jens, can you take care of an upload to stable-proposed-updates?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
