Debian Information for VU#369347
OpenSSH vulnerabilities in challenge response handling
- Vendor Information Help Date Notified: 24 Jun 2002
- Statement Date:
- Date Updated: 27 Jun 2002
Debian 2.2 (the current stable release) is not affected by these problems. The current versions of our "testing" distribution, to become Debian 3.0, and our "unstable" distribution, are both affected by default.
We recommend that users be certain that both:
- ChallengeResponseAuthentication no
- PAMAuthenticationViaKbdInt no
are present and uncommented in /etc/ssh/sshd_config (and that the server is restarted). Also, we recommend the use of version 3.3p1, now available from security.debian.org (DSA-134). Stable users do not need to upgrade and may wish to wait until the packages have received better testing.
We intend to provide 3.4p1 packages in the near future.
The vendor has not provided us with any further information regarding this vulnerability.
Debian has published a security advisory on this topic at: