Package: openssh Severity: normal Tags: security Hi
There are two CVEs[1][2] issued for openssh. Text below: OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243. OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483. Can you please check, if they occur in the current debian packages? If you should upload a fix, please mention the CVE numbers in the changelog. Thanks for your efforts Cheers Steffen [1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2243 [2]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2768 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
