search for: osueta

On Thu, Jul 21, 2016 at 1:34 PM, Selphie Keller <selphie.keller at gmail.com> wrote: > yeah I like this idea, fixes the issue with blowfish hashes and non root > passwords, maybe random delay as the final fall back if no salts/passwords > are found. Well if there are no accounts with a valid salt then there's also no valid account to compare the timing of invalid accounts

...in the bug, it's possible in certain circumstances to provoke a DOS condition in the access to the ssh server, I made a brief study of this possibility here: https://www.devconsole.info/?p=382 and included this attack in my tool that exploit this vulnerability: https://github.com/c0r3dump3d/osueta It's necessary to request another CVE-ID for the DOS attack? At least, I think it should be clarified in the announce of the vulnerability. Regards.

Hi, OpenSSH 5.3 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains some substantial new features and a number of bugfixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is