Bug#906236: marked as done (openssh: CVE-2018-15473: delay bailout for invalid authenticating user until after the packet)

[Debian Bug Tracking System]

Your message dated Fri, 24 Aug 2018 13:52:09 +0000
with message-id <e1ftcvv-000g37...@fasolo.debian.org>
and subject line Bug#906236: fixed in openssh 1:7.4p1-10+deb9u4
has caused the Debian Bug report #906236,
regarding openssh: CVE-2018-15473: delay bailout for invalid authenticating 
user until after the packet
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
906236: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906236
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: openssh
Version: 1:7.7p1-1
Severity: important
Tags: patch security upstream

Hi

See http://www.openwall.com/lists/oss-security/2018/08/15/5 for
details.

Upstream patch:

https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: openssh
Source-Version: 1:7.4p1-10+deb9u4

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 906...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Delafond <s...@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 21 Aug 2018 05:14:18 +0200
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server 
ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source amd64 all
Version: 1:7.4p1-10+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Sebastien Delafond <s...@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote 
machines
 openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote 
machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access 
from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for 
ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 906236
Changes:
 openssh (1:7.4p1-10+deb9u4) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team
   * CVE-2018-15473: fix username enumeration issue, initially reported
     by Dariusz Tytko and Michal Sajdak (Closes: #906236)
Checksums-Sha1:
 f7896be809649b58e523ade9ae69e45b361011a4 2579 openssh_7.4p1-10+deb9u4.dsc
 2330bbf82ed08cf3ac70e0acf00186ef3eeb97e0 1511780 openssh_7.4p1.orig.tar.gz
 9a265a9c4522f701fd641b707cb3c4dd7b0498b9 163928 
openssh_7.4p1-10+deb9u4.debian.tar.xz
 60da5987a5b7531836f5581e48ceb53cde16071b 2954416 
openssh-client-dbgsym_7.4p1-10+deb9u4_amd64.deb
 0aeef82bf97cb616420ebd566a21e2890e0115bc 1210976 
openssh-client-ssh1-dbgsym_7.4p1-10+deb9u4_amd64.deb
 ae7d71dffabe7ab236308f731d64e6f6c63efaeb 338452 
openssh-client-ssh1_7.4p1-10+deb9u4_amd64.deb
 4f62e1805aad11d416140a049231b328da522eea 278770 
openssh-client-udeb_7.4p1-10+deb9u4_amd64.udeb
 d63fff21911a843aa1f3c22e54e893037decb9c9 777890 
openssh-client_7.4p1-10+deb9u4_amd64.deb
 d55f10284dde90380051da665afed97bc4ef6f9a 876748 
openssh-server-dbgsym_7.4p1-10+deb9u4_amd64.deb
 e6f84fcaec017d25c251e5397687d31bdaf8cba2 282828 
openssh-server-udeb_7.4p1-10+deb9u4_amd64.udeb
 c9a159aecf26797381d4c3696726e23f1b6da7b3 332484 
openssh-server_7.4p1-10+deb9u4_amd64.deb
 c3d39129c09d8b9a516148338c05be95e602c792 107634 
openssh-sftp-server-dbgsym_7.4p1-10+deb9u4_amd64.deb
 818726442a8a988942bd5092e011940bba7ae4c9 39488 
openssh-sftp-server_7.4p1-10+deb9u4_amd64.deb
 077ed5a61495a2d7d7f7e8be9cb92a3ec8efd704 17176 
openssh_7.4p1-10+deb9u4_amd64.buildinfo
 ca308440abe83c110f64460b0458822c7b16b77d 11670 
ssh-askpass-gnome-dbgsym_7.4p1-10+deb9u4_amd64.deb
 84c79a6c400da66d3ea15d099d5d6e202d933e9d 200334 
ssh-askpass-gnome_7.4p1-10+deb9u4_amd64.deb
 b6dde63ec4115626a5e4e72dc9cd128cb8444cfb 186624 
ssh-krb5_7.4p1-10+deb9u4_all.deb
 0c0ea6d0106caff3f1452aec67e1f89878809bc6 188968 ssh_7.4p1-10+deb9u4_all.deb
Checksums-Sha256:
 57eb36cd403b8f9f06d776f3f2f0ba4ddb52aff01ab88c134099838bff1c245f 2579 
openssh_7.4p1-10+deb9u4.dsc
 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1 1511780 
openssh_7.4p1.orig.tar.gz
 cf02250803a0a8762b520ad16679736e2177e06a1dff67c018b32d668070e686 163928 
openssh_7.4p1-10+deb9u4.debian.tar.xz
 474e2331448a1b6fd88c9028dea6d5f51b5eff28acddc9d75f534e9a9c4e4ebc 2954416 
openssh-client-dbgsym_7.4p1-10+deb9u4_amd64.deb
 5e5e0427d02af82167c835a94584c225e51a68eb12965e385519f2818fdbe78e 1210976 
openssh-client-ssh1-dbgsym_7.4p1-10+deb9u4_amd64.deb
 7bd3114348cb1954f03087f32ee274c9804650a30eac9cbbbb0d4a133b802f13 338452 
openssh-client-ssh1_7.4p1-10+deb9u4_amd64.deb
 20e907d80cab61aec1655e491017980ecc72491586dbbfcbbee70cc536f95cf0 278770 
openssh-client-udeb_7.4p1-10+deb9u4_amd64.udeb
 e352d88c4cfe7cceef76f4f7e8358555a03e747b3f4a48be67da479eff490231 777890 
openssh-client_7.4p1-10+deb9u4_amd64.deb
 9ab26e8e3195494ce0cca91f02b48465dcdc5b64bccbf7438fc8785c8ba75e21 876748 
openssh-server-dbgsym_7.4p1-10+deb9u4_amd64.deb
 d9496ac636b453743fac45d72d0ed7fcc09662c837b9cdcac3477ce14a9b335f 282828 
openssh-server-udeb_7.4p1-10+deb9u4_amd64.udeb
 c154ad507ec7f0a903bf2209613fc18c1f309812d66cf2d24b04a6d48b380247 332484 
openssh-server_7.4p1-10+deb9u4_amd64.deb
 a1eca4e80e090ff9cd89c1709228e781ad5d460f36c2a7c676dfa042f6ea9369 107634 
openssh-sftp-server-dbgsym_7.4p1-10+deb9u4_amd64.deb
 b3322ee9a49b8c823edd7e912ddd3accb4f0130aa4b14f544d3767a0bfa1830e 39488 
openssh-sftp-server_7.4p1-10+deb9u4_amd64.deb
 7e250234a1b21cad61ab4fe8fd88bc60fad247115c4c128421be9ad3072b2f1a 17176 
openssh_7.4p1-10+deb9u4_amd64.buildinfo
 09d23a7b65f66254dfed1ed259a76594736356bef4878c4593f2417cc79f30d5 11670 
ssh-askpass-gnome-dbgsym_7.4p1-10+deb9u4_amd64.deb
 699a9fb7459a87c24c799fb2645c97ec3937ccc1f26384f30f1d10e331dad6bf 200334 
ssh-askpass-gnome_7.4p1-10+deb9u4_amd64.deb
 7e5e203c05d0213ab8ae2f9d23428523f6018a03a6e5425a1db1dc0df519bd7f 186624 
ssh-krb5_7.4p1-10+deb9u4_all.deb
 87689c0389a8b481ed81962e9d092acd9ebce289f81563c7c9c793566734cb32 188968 
ssh_7.4p1-10+deb9u4_all.deb
Files:
 0fce8f2f388cea31837f77720f304970 2579 net standard openssh_7.4p1-10+deb9u4.dsc
 b2db2a83caf66a208bb78d6d287cdaa3 1511780 net standard openssh_7.4p1.orig.tar.gz
 0b929690b637a6bfa5c1bb4a9958f898 163928 net standard 
openssh_7.4p1-10+deb9u4.debian.tar.xz
 0a72c2229d3377e8b3c0f9a16df30c71 2954416 debug extra 
openssh-client-dbgsym_7.4p1-10+deb9u4_amd64.deb
 ae0af76ca1a75039f3012cf0f5f33f63 1210976 debug extra 
openssh-client-ssh1-dbgsym_7.4p1-10+deb9u4_amd64.deb
 31065f4e4c1f13f0aa13d0e648c2ad62 338452 net extra 
openssh-client-ssh1_7.4p1-10+deb9u4_amd64.deb
 939fffa6b32286bbf1484211a32dbccd 278770 debian-installer optional 
openssh-client-udeb_7.4p1-10+deb9u4_amd64.udeb
 c6698c0b6f6dd036bff4c841dcd248d0 777890 net standard 
openssh-client_7.4p1-10+deb9u4_amd64.deb
 aaaa0a664ac210e0ec566b796f101a79 876748 debug extra 
openssh-server-dbgsym_7.4p1-10+deb9u4_amd64.deb
 0f2e5b133454c83d5017a8531859da85 282828 debian-installer optional 
openssh-server-udeb_7.4p1-10+deb9u4_amd64.udeb
 9dc9f22f6b5cb5b18a58905d00a85c6f 332484 net optional 
openssh-server_7.4p1-10+deb9u4_amd64.deb
 fc970df8354f928057f77f820397ae75 107634 debug extra 
openssh-sftp-server-dbgsym_7.4p1-10+deb9u4_amd64.deb
 7197d5f65a3287e7ca27e71d961f1c5c 39488 net optional 
openssh-sftp-server_7.4p1-10+deb9u4_amd64.deb
 4e93a936b2495373e38b0ea582b9bf17 17176 net standard 
openssh_7.4p1-10+deb9u4_amd64.buildinfo
 0d00c04242caa6f2d2c5640d977f808e 11670 debug extra 
ssh-askpass-gnome-dbgsym_7.4p1-10+deb9u4_amd64.deb
 06497b544e68e59a301b2c86b0731ced 200334 gnome optional 
ssh-askpass-gnome_7.4p1-10+deb9u4_amd64.deb
 39b8d2f160d02fe655fa8fb9b2211dad 186624 oldlibs extra 
ssh-krb5_7.4p1-10+deb9u4_all.deb
 bacf91eb7237db8183084792e9069edf 188968 net extra ssh_7.4p1-10+deb9u4_all.deb

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAlt8HCgACgkQEL6Jg/PV
nWR4NwgAycNHYJDnkVgxBEUY2bdzFZWHWI6KEAcGOuM9Q4IiKo3j0hZPpeIDhfUT
FXG5AXizmn3UVQkRUeA9c3Kh7+CyPyE3EYXKNTrahuJmACJv5zj3CSYlD8J9YQcz
8SnCVGmYhaLkuNWbDvDrXHDHx+HTrRllH/jJzmuAt12eco+ViBZsqbYWcfr16IUW
GOuRhYIKDtO0cEfZNcrAkyrn+8iEST5hT2lVFBdYn8g9wU/9sJ+uyRkVQLhhGay+
bochvnG4H1edKST4JFtCCQZFbsGPAe23+JOwrKJyC4irTW2Oc84S2fRTtTPAHfwi
5CLLtDfGWVyYCag8vGlTrvVkcuaN2w==
=QjwD
-----END PGP SIGNATURE-----

--- End Message ---