[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
root
1794629 at bugs.launchpad.net
Fri Apr 5 07:51:11 UTC 2019
@set, That's fine, but scanned Qualys report suggests to install openssh
>7.8 to fix this bug!, not sure where is the issue, PFA for sample
qualys report, do you know how to change the openssh version and hide OS
version without compiling?, any SSHD_options? let me know.
Thanks
** Attachment added: "recent qualys report on a server with openssh 7.6p1"
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+attachment/5253000/+files/qualys_scan_report_2019.png
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1794629
Title:
CVE-2018-15473 - User enumeration vulnerability
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Trusty:
Fix Released
Status in openssh source package in Xenial:
Fix Released
Status in openssh source package in Bionic:
Fix Released
Status in openssh source package in Cosmic:
Fix Released
Bug description:
https://nvd.nist.gov/vuln/detail/CVE-2018-15473
OpenSSH through 7.7 is prone to a user enumeration vulnerability due
to not delaying bailout for an invalid authenticating user until after
the packet containing the request has been fully parsed, related to
auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
Fixed in Debian: https://www.debian.org/security/2018/dsa-4280
Currently pending triage? https://people.canonical.com/~ubuntu-
security/cve/2018/CVE-2018-15473.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions
More information about the foundations-bugs
mailing list