Source: openssh Version: 1:6.7p1-1 Severity: normal Tags: security upstream
Hi, The following vulnerability was published for openssh, filling as bug in BTS mainly for tracking. I do not think a DSA is needed for it, and as a side note, upstream does not want to threat such a user enumeration as a vulnerability. Once a fix is available it would still be sensible to have at least for buster, disputable on what to do for stretch. CVE-2018-15919[0]: | Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 | could be used by remote attackers to detect existence of users on a | target system when GSS2 is in use. NOTE: the discoverer states 'We | understand that the OpenSSH developers do not want to treat such a | username enumeration (or "oracle") as a vulnerability.' If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-15919 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919 [1] https://bugzilla.novell.com/show_bug.cgi?id=1106163 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1623184 Regards, Salvatore