Package: libpam-ssh
Tags: security

A user enumeration issue has been disclosed in libpam-ssh:

| pam_ssh 1.92 and possibly other versions, as used when PAM is
| compiled with USE=ssh, generates different error messages depending
| on whether the username is valid or invalid, which makes it easier
| for remote attackers to enumerate usernames.

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1273>

The Gentoo bug report linked from there contains a patch.

This should probably be uploaded to (old)stable-proposed-updates,
combined with the fix for CVE-2007-0844.



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to