[Bug 1732172] Re: [CVE] Security Vulnerabilities in OpenSSH on Ubuntu 14.04
Emily Ratliff
1732172 at bugs.launchpad.net
Mon Nov 27 23:18:13 UTC 2017
Thanks for taking the time to report this bug and make Ubuntu better. You can see more information about these CVEs by using the CVE tracker. See
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8858.html
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10009.html
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10010.html
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10011.html
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10012.html
CVE-2016-8858 is disputed by upstream since the attacker can only DOS their own connection.
CVE-2016-10012 is related to pre-auth compression which has been disabled by default for > 10 years.
CVE-2016-10010 is only impactful if privilege separation is not used, however, privilege separation is enabled by default.
CVE-2016-10009 and CVE-2016-20011 are both low priority.
These issues are on the list to be fixed and will be fixed as soon as possible based on their priority.
Will your scanning software allow you to annotate findings?
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-20011
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1732172
Title:
[CVE] Security Vulnerabilities in OpenSSH on Ubuntu 14.04
Status in openssh package in Ubuntu:
New
Bug description:
Does anyone know when the following OpenSSH venerabilities will be
patched on Ubuntu 14.04
CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012,
CVE-2016-8858
As these are coming up repeatedly on or security scans
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1732172/+subscriptions
More information about the foundations-bugs
mailing list