openssh (1:3.8.1p1-8.sarge.4) unstable; urgency=high
* Fix timing information leak allowing discovery of invalid usernames in
PAM keyboard-interactive authentication (backported from a patch by
Darren Tucker; closes: #281595).
* Make sure that there's a delay in PAM keyboard-interactive
authentication when PermitRootLogin is not set to yes and the correct
root password is entered (closes: #248747).
-- Colin Watson <[EMAIL PROTECTED]> Sun, 28 Nov 2004 12:37:16 +0000
This doesn't seem to have introduced any new regressions, and I consider
the two information leaks to be security issues.
I'm still rather concerned about #283703, but that's a separate issue
which I haven't yet had time to look into in any detail. We may later
need to rebuild openssh against the current openssl, assuming that it
reaches sarge.
--
Colin Watson [EMAIL PROTECTED]
