MNBSD-2015-7: OpenSSH SSHFP verification bypass and MaxAuthTries bypass

Severity: Unknown

Affected Package: openssh

Summary: OpenSSH SSHFP verification bypass and MaxAuthTries bypass

Description

Two OpenSSH security vulnerabilities were fixed. OpenSSH clients did not correctly verify DNS SSHFP records when a server offered a certificate, and OpenSSH servers configured to allow PAM password authentication (the default) allowed MaxAuthTries to be bypassed, permitting many password attempts and easing brute-force attacks.

Affected Versions

openssh

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2014-2653, CVE-2015-5600

Published: July 28, 2015
Last Modified: July 28, 2015