USN-3061-1 OpenSSH vulnerability
Medium
Canonical Ubuntu, openssh
Canonical Ubuntu 14.04 LTS
Eddie Harari discovered that OpenSSH incorrectly handled password hashing when authenticating non-existing users. A remote attacker could perform a timing attack and enumerate valid users. (CVE-2016-6210)
Tomas Kuthan, Andres Rojas, and Javier Nieto discovered that OpenSSH did not limit password lengths. A remote attacker could use this issue to cause OpenSSH to consume resources, leading to a denial of service. (CVE-2016-6515)
_Severity is medium unless otherwise noted.
_
Users of affected versions should apply the following mitigation:
Eddie Harari, Tomas Kuthan, Javier Nieto, and Andres Rojas