8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:P/I:N/A:C
In Debian LTS (squeeze), the fix for CVE-2015-5600 in openssh
1:5.5p1-6+squeeze7 breaks authentication mechanisms that rely on the
keyboard-interactive method. Thanks to Colin Watson for making aware of
that.
The patch fixing CVE-2015-5600 introduces the field devices_done to the
KbdintAuthctxt struct, but does not initialize the field in the
kbdint_alloc() function. On Linux, this ends up filling that field with
junk data. The result of this are random login failures when
keyboard-interactive authentication is used.
This upload of openssh 1:5.5p1-6+squeeze7 to Debian LTS (squeeze) adds
that initialization of the devices\_done
field alongside the existing
initialization code.
People relying on keyboard-interactive based authentication mechanisms with
OpenSSH on Debian squeeze(-lts) systems are recommended to upgrade
OpenSSH to 1:5.5p1-6+squeeze7.