[SECURITY-L] [S] OpenSSH-portable PAM Authentication Remote Information Disclosure Vulnerability
CSIRT - UNICAMP
security em unicamp.br
Sex Fev 18 10:39:10 -02 2005
----- Forwarded message from Nelson Murilo <nelson em pangeia.com.br> -----
From: Nelson Murilo <nelson em pangeia.com.br>
Subject: [S] OpenSSH-portable PAM Authentication Remote Information Disclosure Vulnerability
To: seguranca em pangeia.com.br
Date: Fri, 18 Feb 2005 09:24:35 -0200
[http://www.securityfocus.com/bid/11781/info/]
It is reported that OpenSSH contains an information disclosure vulnerability. This issue exists in the portable version of OpenSSH. The portable version is the version that is distributed for operating systems other than its native OpenBSD platform.
This issue is related to BID 7467. It is reported that the previous fix for BID 7476 was insufficient to completely fix the issue. It is not confirmed at this time, but this current issue may involve differing code paths in PAM, resulting in a new vulnerability.
This vulnerability allows remote users to test for the existence of valid usernames. Knowledge of usernames may aid them in further attacks.
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L