Debian Information for VU#369347

OpenSSH vulnerabilities in challenge response handling



Vendor Statement

Debian 2.2 (the current stable release) is not affected by these problems. The current versions of our "testing" distribution, to become Debian 3.0, and our "unstable" distribution, are both affected by default.

We recommend that users be certain that both:

    ChallengeResponseAuthentication no

    PAMAuthenticationViaKbdInt no

are present and uncommented in /etc/ssh/sshd_config (and that the server is restarted). Also, we recommend the use of version 3.3p1, now available from (DSA-134). Stable users do not need to upgrade and may wish to wait until the packages have received better testing.

We intend to provide 3.4p1 packages in the near future.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



Debian has published a security advisory on this topic at: