Описание
Security update for openssh
This update for openssh fixes the following issues:
- Prevent user enumeration through the timing of password processing (bsc#989363, CVE-2016-6210) [-prevent_timing_user_enumeration]
- Allow lowering the DH groups parameter limit in server as well as when GSSAPI key exchange is used (bsc#948902)
- limit accepted password length (prevents possible DoS) (bsc#992533, CVE-2016-6515)
Bug fixes:
- avoid complaining about unset DISPLAY variable (bsc#981654)
Список пакетов
SUSE Linux Enterprise Desktop 12 SP1
openssh-6.6p1-52.1
openssh-askpass-gnome-6.6p1-52.1
openssh-helpers-6.6p1-52.1
SUSE Linux Enterprise Server 12 SP1
openssh-6.6p1-52.1
openssh-askpass-gnome-6.6p1-52.1
openssh-fips-6.6p1-52.1
openssh-helpers-6.6p1-52.1
SUSE Linux Enterprise Server 12-LTSS
openssh-6.6p1-52.1
openssh-askpass-gnome-6.6p1-52.1
openssh-fips-6.6p1-52.1
openssh-helpers-6.6p1-52.1
SUSE Linux Enterprise Server for SAP Applications 12
openssh-6.6p1-52.1
openssh-askpass-gnome-6.6p1-52.1
openssh-fips-6.6p1-52.1
openssh-helpers-6.6p1-52.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1
openssh-6.6p1-52.1
openssh-askpass-gnome-6.6p1-52.1
openssh-fips-6.6p1-52.1
openssh-helpers-6.6p1-52.1
Ссылки
- Link for SUSE-SU-2016:2280-1
- E-Mail link for SUSE-SU-2016:2280-1
- SUSE Security Ratings
- SUSE Bug 948902
- SUSE Bug 981654
- SUSE Bug 989363
- SUSE Bug 992533
- SUSE CVE CVE-2016-6210 page
- SUSE CVE CVE-2016-6515 page
Описание
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.
Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP1:openssh-6.6p1-52.1
SUSE Linux Enterprise Desktop 12 SP1:openssh-askpass-gnome-6.6p1-52.1
SUSE Linux Enterprise Desktop 12 SP1:openssh-helpers-6.6p1-52.1
SUSE Linux Enterprise Server 12 SP1:openssh-6.6p1-52.1
Ссылки
- CVE-2016-6210
- SUSE Bug 1001712
- SUSE Bug 1010950
- SUSE Bug 1105010
- SUSE Bug 1138392
- SUSE Bug 989363
Описание
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.
Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP1:openssh-6.6p1-52.1
SUSE Linux Enterprise Desktop 12 SP1:openssh-askpass-gnome-6.6p1-52.1
SUSE Linux Enterprise Desktop 12 SP1:openssh-helpers-6.6p1-52.1
SUSE Linux Enterprise Server 12 SP1:openssh-6.6p1-52.1
Ссылки
- CVE-2016-6515
- SUSE Bug 1010950
- SUSE Bug 1115893
- SUSE Bug 992533