Leroy Tennison leroy.tennison at
Thu Oct 28 19:29:02 UTC 2021

Thanks for your reply, I was afraid of that.  Any suggestion on how we deal with this?

-----Original Message-----
From: Sergio Durigan Junior <sergiodj at>
To: Leroy Tennison <leroy.tennison at>
Cc: ubuntu-server at <ubuntu-server at>
Sent: Thu, Oct 28, 2021 2:22 pm
Subject: Re: CVE-2016-20012

On Thursday, October 28 2021, Leroy Tennison wrote:

> Under "Notes:" for Seth
> Arnold makes a reference to "openssh-ssh1", does this CVE only apply
> to version 1 of openssh?  The reason I ask is that we have a PCI
> environment and our scanning vendor has noted us as non-compliant
> because of this CVE.  I understand there is disagreement about the
> severity of the CVE but we need an answer and Seth hasn't provided a
> public email address.  If the CVE applies only to ssh version 1 then
> we have an answer.
> A related question, would using a certificate-based ssh configuration avoid this issue?
> Thanks for your help.

Hello Leroy,

I looked at the CVE and upstream fix/discussion, and it doesn't seem to
me like this is just applicable to the version 1 of the protocol.  For
example, take a look at the following highlighted comment:

You will notice that it tries to send a userauth message using SSH2:

  if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_PK_OK))...

I read Seth's notes as a simple warning for those users who rely on
openssh-ssh1 (likely due to old devices), letting them know that the fix
for this CVE may not be provided for them if doing so means breaking
compatibility with said old equipments.


GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the ubuntu-server mailing list