openssh: Denial of service via very long passwords (CVE-2016-6515)
A denial of service vulnerability was found in openssh. The
auth_password function in auth-passwd.c
in sshd in OpenSSH before 7.3 does not limit password lengths for
password authentication, which allows remote attackers
to cause a denial of service (crypt CPU consumption) via a long string.
Reference:
http://seclists.org/oss-sec/2016/q3/215
Patch:
https://github.com/openssh/openssh-portable/commit/fcd135c9df440bcd2d5870405ad3311743d78d97
(from redmine: issue id 6039, created on 2016-08-17, closed on 2016-08-17)
- Relations:
- child #6040 (closed)
- child #6041 (closed)
- child #6042 (closed)
- child #6043 (closed)