[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
Seth Arnold
1794629 at bugs.launchpad.net
Sat Apr 6 01:53:58 UTC 2019
Root, aha! We've finally uncovered the root of the problem. (Sorry. I
can't help myself. It's Friday afternoon.)
While Qualys' TLS scanner is a top-notch tool that I use regularly,
their "security scanner" is sadly not. They have built a tool that
checks version numbers. This is not ideal, because the clear majority of
Linux systems do not do wholesale version updates but instead backport
specific security fixes:
https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions
https://www.debian.org/security/faq#version
https://wiki.centos.org/FAQ/General#head-3dad8cb98ac535185e58e882a23ca4b096cbff2f
https://access.redhat.com/security/updates/backporting
These sorts of security scanners would be more useful if everyone built
their entire systems from scratch.
Anyway, please ask Qualys to consider consuming our OVAL data:
https://people.canonical.com/~ubuntu-security/oval/
or parsing our database directly:
https://git.launchpad.net/ubuntu-cve-tracker
Both of these approaches would give better results. (There are tradeoffs
involved. They are welcome to contact us at security at ubuntu.com if they
would like to discuss the tradeoffs.)
Thanks
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1794629
Title:
CVE-2018-15473 - User enumeration vulnerability
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Trusty:
Fix Released
Status in openssh source package in Xenial:
Fix Released
Status in openssh source package in Bionic:
Fix Released
Status in openssh source package in Cosmic:
Fix Released
Bug description:
https://nvd.nist.gov/vuln/detail/CVE-2018-15473
OpenSSH through 7.7 is prone to a user enumeration vulnerability due
to not delaying bailout for an invalid authenticating user until after
the packet containing the request has been fully parsed, related to
auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
Fixed in Debian: https://www.debian.org/security/2018/dsa-4280
Currently pending triage? https://people.canonical.com/~ubuntu-
security/cve/2018/CVE-2018-15473.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions
More information about the foundations-bugs
mailing list