Re: Call for testing: OpenSSH 7.3

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, Jul 22, 2016 at 7:05 PM, C0r3dump3d <coredump@xxxxxxxxxxxxx> wrote:
> but now it's more easy to establish the DOS
> condition in the access to the Openssh server and exhausting the CPU
> resources, any dummy user it can be used!

The snapshot you're using (openssh-SNAP-20160722.tar.gz) was
unfortunately made in the time after the code to cap the password size
at 1k was committed to OpenBSD
(http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-passwd.c.diff?r1=1.44&r2=1.45)
but before it was synced into -Portable
(https://anongit.mindrot.org/openssh.git/commit/?id=fcd135c9df440bcd2d5870405ad3311743d78d97).
As a result your very large password strings are still making it into
crypt(3).

Please either grab the code directly from git (you'll need to run
"autoreconf" yourself) or try tomorrow's snapshot and retest it.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux