CVE-2009-1273 | Vulnerability Database | Aqua Security

pam_ssh 1.92 and possibly other versions, as used when PAM is compiled with USE=ssh, generates different error messages depending on whether the username is valid or invalid, which makes it easier for remote attackers to enumerate usernames.

Affected Software

Name	Vendor	Start Version	End Version
Pam_ssh	Andrew_j.korty	1.92 (including)	1.92 (including)
Libpam-ssh	Ubuntu	dapper	*
Libpam-ssh	Ubuntu	gutsy	*
Libpam-ssh	Ubuntu	hardy	*
Libpam-ssh	Ubuntu	intrepid	*
Libpam-ssh	Ubuntu	jaunty	*
Libpam-ssh	Ubuntu	karmic	*

References

http://bugs.gentoo.org/show_bug.cgi?id=263579
http://secunia.com/advisories/34536
http://secunia.com/advisories/34986
https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00116.html
https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00145.html
http://bugs.gentoo.org/show_bug.cgi?id=263579
http://secunia.com/advisories/34536
http://secunia.com/advisories/34986
https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00116.html
https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00145.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2009-1273
CWE	https://cwe.mitre.org/data/definitions/255.html