[Bug 1891123] Re: Openssh vulnerability on ubuntu 16.04
Sowmya Divvi
1891123 at bugs.launchpad.net
Tue Aug 11 05:38:44 UTC 2020
** Summary changed:
- This is regarding the openssh vulnerability reported in our environment during security scan. Our environment base is ubuntu 16.04 Xenial.
+ Openssh vulnerability on ubuntu 16.04
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1891123
Title:
Openssh vulnerability on ubuntu 16.04
Status in openssh package in Ubuntu:
New
Bug description:
Hi
This is regarding the openssh vulnerability reported in our environment during security scan.
Our environment base is ubuntu 16.04 Xenial.
Vulnerability report says that openssh is vulnerable in 16.04.
It says:
** DISPUTED ** The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests.
NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue."
As per below link this is ignored on 16.04. But as per the vulnerability scan in our environment this is reported as high priority issue.
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8858.html
And this Vulnerability is reported to be fixed from 18.04 ubuntu releases in openssh 7.3 later versions.
But in 16.04 the latest openssh version is of 7.2 As per https://launchpad.net/ubuntu/xenial/+source/openssh
Can we even expect to be get this openssh vulnerability fixed even in
16.04?
Best Regards,
Sowmya Divvi
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1891123/+subscriptions
More information about the foundations-bugs
mailing list