Debian Information for VU#369347

OpenSSH vulnerabilities in challenge response handling

Status

Affected

Vendor Statement

Debian 2.2 (the current stable release) is not affected by these problems. The current versions of our "testing" distribution, to become Debian 3.0, and our "unstable" distribution, are both affected by default.

We recommend that users be certain that both:

    ChallengeResponseAuthentication no

and
    PAMAuthenticationViaKbdInt no

are present and uncommented in /etc/ssh/sshd_config (and that the server is restarted). Also, we recommend the use of version 3.3p1, now available from security.debian.org (DSA-134). Stable users do not need to upgrade and may wish to wait until the packages have received better testing.

We intend to provide 3.4p1 packages in the near future.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

Debian has published a security advisory on this topic at: