On Tue, Dec 07, 2004 at 08:03:01PM -0500, Marc Deslauriers wrote: > > An attacker could measure the time between rejections with an attack > tool and determine the root password. > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141642 > > I don't think the changelog entry Michal posted earlier has > anything to do with this bug, so it should definitely go into > bugzilla. > That indeed looks like a new problem but the quoted Ubuntu advisory, i.e. http://www.securityfocus.com/advisories/7575, and apparently a code from the corresponding patch as well (although here I only looked very quickly and I possibly missed something), refer specifically to CAN-2003-0190 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190 and this was covered by advisories http://rhn.redhat.com/errata/RHSA-2003-222.html http://rhn.redhat.com/errata/RHSA-2003-224.html Bugzilla entry 141642 is dated 2004-12-02. Michal -- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
