Package: libpam-ssh Tags: security A user enumeration issue has been disclosed in libpam-ssh:
| pam_ssh 1.92 and possibly other versions, as used when PAM is | compiled with USE=ssh, generates different error messages depending | on whether the username is valid or invalid, which makes it easier | for remote attackers to enumerate usernames. <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1273> The Gentoo bug report linked from there contains a patch. This should probably be uploaded to (old)stable-proposed-updates, combined with the fix for CVE-2007-0844. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

