Arch Linux Security Advisory ASA-201608-1 ========================================= Severity: Medium Date : 2016-08-02 CVE-ID : CVE-2016-6210 Package : openssh Type : information leakage Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package openssh before version 7.3p1-1 is vulnerable to information leakage. Resolution ========== Upgrade to 7.3p1-1. # pacman -Syu "openssh>=7.3p1-1" The problem has been fixed upstream in version 7.3p1. Workaround ========== None. Description =========== Mitigate timing differences in password authentication that could be used to discern valid from invalid account names when long passwords were sent and particular password hashing algorithms are in use on the server. Reported by EddieEzra.Harari at verint.com Impact ====== A remote attacker is able to enumerate users by sending large passwords. References ========== https://access.redhat.com/security/cve/CVE-2016-6210 http://seclists.org/fulldisclosure/2016/Jul/51 http://www.openssh.com/txt/release-7.3