CVE-2009-1273

NameCVE-2009-1273
Descriptionpam_ssh 1.92 and possibly other versions, as used when PAM is compiled with USE=ssh, generates different error messages depending on whether the username is valid or invalid, which makes it easier for remote attackers to enumerate usernames.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs535877

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libpam-ssh (PTS)jessie2.01-2fixed
stretch2.1+ds1-2fixed
buster2.3+ds-1fixed
bullseye2.3+ds-2fixed
sid, trixie2.3+ds-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libpam-sshsourcelenny1.91.0-9.3+lenny1
libpam-sshsource(unstable)1.92-7low535877

Notes

[etch] - libpam-ssh <no-dsa> (Minor issue)
Search for package or bug name: Reporting problems