[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability

[Seth Arnold]

root, version 1:7.6p1-4ubuntu0.1 was published to the archive on
November 6th 2018:

https://launchpad.net/ubuntu/+source/openssh/1:7.6p1-4ubuntu0.1
https://lists.ubuntu.com/archives/bionic-changes/2018-November/017000.html
https://usn.ubuntu.com/3809-1/

A default configuration of Ubuntu 18.04 LTS with unattended-upgrades
installed would have received this update within the next 36 hours or
so. If you installed before November 6th, then you probably received the
update November 6th or 7th. If you installed after November 6th, then
you probably received the update during installation. You can check
/var/log/dpkg.log* files to find the exact date and time you received
the update.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1794629

Title:
  CVE-2018-15473 - User enumeration vulnerability

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Trusty:
  Fix Released
Status in openssh source package in Xenial:
  Fix Released
Status in openssh source package in Bionic:
  Fix Released
Status in openssh source package in Cosmic:
  Fix Released

Bug description:
  https://nvd.nist.gov/vuln/detail/CVE-2018-15473

  OpenSSH through 7.7 is prone to a user enumeration vulnerability due
  to not delaying bailout for an invalid authenticating user until after
  the packet containing the request has been fully parsed, related to
  auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

  Fixed in Debian: https://www.debian.org/security/2018/dsa-4280

  Currently pending triage? https://people.canonical.com/~ubuntu-
  security/cve/2018/CVE-2018-15473.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions