[3.4] openssh: Denial of service via very long passwords (CVE-2016-6515)
A denial of service vulnerability was found in openssh. The
auth_password function in auth-passwd.c
in sshd in OpenSSH before 7.3 does not limit password lengths for
password authentication, which allows remote attackers
to cause a denial of service (crypt CPU consumption) via a long string.
Reference:
http://seclists.org/oss-sec/2016/q3/215
Patch:
https://github.com/openssh/openssh-portable/commit/fcd135c9df440bcd2d5870405ad3311743d78d97
(from redmine: issue id 6040, created on 2016-08-17, closed on 2016-08-17)
- Relations:
- parent #6039 (closed)
- Changesets:
- Revision 595ce63a by Natanael Copa on 2016-08-17T17:31:24Z:
main/openssh: security fix for CVE-2016-6515
fixes #6040