Ubuntu Security Notice 3061-1 - Eddie Harari discovered that OpenSSH incorrectly handled password hashing when authenticating non-existing users. A remote attacker could perform a timing attack and enumerate valid users. Tomas Kuthan, Andres Rojas, and Javier Nieto discovered that OpenSSH did not limit password lengths. A remote attacker could use this issue to cause OpenSSH to consume resources, leading to a denial of service. Various other issues were also addressed. Continue reading...
