Hi, I have tried the git version and now it's Ok, no user enumeration and no DOS!! If it's possible for the credits of the bug please include my partner and me: Andres Rojas -- coredump@xxxxxxxxxxxxx Javier Nieto -- jnieton@xxxxxxxxx Thank you very much El 22/07/16 a las 12:23, Darren Tucker escribió: > On Fri, Jul 22, 2016 at 7:05 PM, C0r3dump3d <coredump@xxxxxxxxxxxxx> wrote: >> but now it's more easy to establish the DOS >> condition in the access to the Openssh server and exhausting the CPU >> resources, any dummy user it can be used! > > The snapshot you're using (openssh-SNAP-20160722.tar.gz) was > unfortunately made in the time after the code to cap the password size > at 1k was committed to OpenBSD > (http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-passwd.c.diff?r1=1.44&r2=1.45) > but before it was synced into -Portable > (https://anongit.mindrot.org/openssh.git/commit/?id=fcd135c9df440bcd2d5870405ad3311743d78d97). > As a result your very large password strings are still making it into > crypt(3). > > Please either grab the code directly from git (you'll need to run > "autoreconf" yourself) or try tomorrow's snapshot and retest it. > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
