Synopsis :

The remote Debian host is missing a security-related update.

Description :

If the UseLogin feature is enabled in ssh local users could pass
environment variables (including variables like LD_PRELOAD) to the
login process. This has been fixed by not copying the environment if
UseLogin is enabled.

Please note that the default configuration for Debian does not have
UseLogin enabled.

See also :

http://www.debian.org/security/2001/dsa-091

Solution :

This has been fixed in version 1:1.2.3-9.4.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 5.3
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false