Package : openssh Version : 1:5.5p1-6+squeeze7 CVE ID : CVE-2015-5600
In Debian LTS (squeeze), the fix for CVE-2015-5600 in openssh 1:5.5p1-6+squeeze7 breaks authentication mechanisms that rely on the keyboard-interactive method. Thanks to Colin Watson for making aware of that.
The patch fixing CVE-2015-5600 introduces the field 'devices_done' to the KbdintAuthctxt struct, but does not initialize the field in the kbdint_alloc() function. On Linux, this ends up filling that field with junk data. The result of this are random login failures when keyboard-interactive authentication is used.
This upload of openssh 1:5.5p1-6+squeeze7 to Debian LTS (squeeze) adds
that initialization of the
devices_done field alongside the existing
People relying on keyboard-interactive based authentication mechanisms with OpenSSH on Debian squeeze(-lts) systems are recommended to upgrade OpenSSH to 1:5.5p1-6+squeeze7.
mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: email@example.com, http://sunweavers.net