Call for testing: OpenSSH 7.3

C0r3dump3d coredump at
Fri Jul 22 21:40:46 AEST 2016

Hi, I have tried the git version and now it's Ok, no user enumeration
and no DOS!!

If it's possible for the credits of the bug please include my partner
and me:

Andres Rojas -- coredump at
Javier Nieto -- jnieton at

Thank you very much

El 22/07/16 a las 12:23, Darren Tucker escribió:
> On Fri, Jul 22, 2016 at 7:05 PM, C0r3dump3d <coredump at> wrote:
>> but now it's more easy to establish the DOS
>> condition in the access to the Openssh server and exhausting the CPU
>> resources, any dummy user it can be used!
> The snapshot you're using (openssh-SNAP-20160722.tar.gz) was
> unfortunately made in the time after the code to cap the password size
> at 1k was committed to OpenBSD
> (
> but before it was synced into -Portable
> (
> As a result your very large password strings are still making it into
> crypt(3).
> Please either grab the code directly from git (you'll need to run
> "autoreconf" yourself) or try tomorrow's snapshot and retest it.

More information about the openssh-unix-dev mailing list