[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
@seth-arnold, You are talking about a different type of vulnerability scanning that is not part of the Qualys service in question (External vulnerability scan, "black box" scan methodology). PCI DSS also mandates regular internal scans and penetration tests. Qualys, as well as other vendors provides such services. As for determining package version directly vs. by version banner, I don't see any difference *in this case* as by default full ubuntu- specific package version is displayed in SSH version banner and Qualys requires users not to interfere with the scanning. The issue that @root(mysky) has stems from the fact that Qualys is usually very fast when including a vulnerable product in their detector but sometimes slow to exclude fixed versions as in this case. This isn't a big deal as they have False Positive Report mechanism that allows a live service representative to asses the situation and allow your system to pass even if the automatic scanner detects a non-existent vulnerability. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
Vital, just scanning version banners is what leads to this problem. Inspecting the package database would be far more reliable. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
Root, that script is suitable for timing attacks against ssh. This issue is easier to use to enumerate users, but does require a different approach. There was a tool posted to oss-security for this: https://www.openwall.com/lists/oss-security/2018/08/16/1 Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
@Seth Arnold, Qualys automated vulnerability scanner is not supposed to do any penetration testing, including vulnerability exploitation attempts as it is ran unattended so must not create any risks of DoS. Trying to exploit some vulnerabilities can jeopardize production systems. This way, such non-intrusive scans are by definition limited to sending completely legitimate requests, checking the responses and then analyzing them based on a vulnerability database. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
@root (mysky), You don't need any scripts. Referring to a vendor's documentation (https://usn.ubuntu.com/3809-1/ in this case) is usually enough. See also: https://pci.qualys.com/static/help/merchant/false_positives/submit_false_positive_requests.htm -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
@Vital & Seth Thanks for the clarification, so qualys is the culprit!, such a good security company providing false reports without actually doing full scan, and now I am looking for a script to demonstrate this vulnerability fix, any good script? Will this do..? https://github.com/nccgroup/ssh_user_enum -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
Root, aha! We've finally uncovered the root of the problem. (Sorry. I can't help myself. It's Friday afternoon.) While Qualys' TLS scanner is a top-notch tool that I use regularly, their "security scanner" is sadly not. They have built a tool that checks version numbers. This is not ideal, because the clear majority of Linux systems do not do wholesale version updates but instead backport specific security fixes: https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions https://www.debian.org/security/faq#version https://wiki.centos.org/FAQ/General#head-3dad8cb98ac535185e58e882a23ca4b096cbff2f https://access.redhat.com/security/updates/backporting These sorts of security scanners would be more useful if everyone built their entire systems from scratch. Anyway, please ask Qualys to consider consuming our OVAL data: https://people.canonical.com/~ubuntu-security/oval/ or parsing our database directly: https://git.launchpad.net/ubuntu-cve-tracker Both of these approaches would give better results. (There are tradeoffs involved. They are welcome to contact us at secur...@ubuntu.com if they would like to discuss the tradeoffs.) Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
@root (mysky), Qualys is slow to fix their detection algorithm. You just need to provide them with False Positive report citing the vendor documentation (https://usn.ubuntu.com/3809-1/). Faking software version is the last thing someone should do to be PCI DSS compliant. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
@set, That's fine, but scanned Qualys report suggests to install openssh >7.8 to fix this bug!, not sure where is the issue, PFA for sample qualys report, do you know how to change the openssh version and hide OS version without compiling?, any SSHD_options? let me know. Thanks ** Attachment added: "recent qualys report on a server with openssh 7.6p1" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+attachment/5253000/+files/qualys_scan_report_2019.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
Root, version 1:7.6p1-4ubuntu0.1 included the fix for CVE-2018-15473. Version 1:7.6p1-4ubuntu0.2 is included in the disc image ubuntu-18.04.2 -server-amd64: $ sha256sum ubuntu-18.04.2-server-amd64.iso a2cb36dc010d98ad9253ea5ad5a07fd6b409e3412c48f1860536970b073c98f5 ubuntu-18.04.2-server-amd64.iso $ bsdtar tf ubuntu-18.04.2-server-amd64.iso | grep openssh pool/main/o/openssh pool/main/o/openssh/openssh-client-udeb_7.6p1-4ubuntu0.2_amd64.udeb pool/main/o/openssh/openssh-client_7.6p1-4ubuntu0.2_amd64.deb pool/main/o/openssh/openssh-server-udeb_7.6p1-4ubuntu0.2_amd64.udeb pool/main/o/openssh/openssh-server_7.6p1-4ubuntu0.2_amd64.deb pool/main/o/openssh/openssh-sftp-server_7.6p1-4ubuntu0.2_amd64.deb pool/main/o/openssh/ssh_7.6p1-4ubuntu0.2_all.deb 1:7.6p1-4ubuntu0.2 includes the fix from 1:7.6p1-4ubuntu0.1 and fixes three more CVEs: - CVE-2018-20685 - CVE-2019-6109 - CVE-2019-6111 During the install, you have the option of downloading and installing updates. These additional updates include openssh version 1:7.6p1-4ubuntu0.3 which includes addition fixes for one CVE: - CVE-2019-6111 Thanks ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20685 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6109 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6111 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
@Seth, if the update released after November 6th 2018, then why I am getting 7.6p1 version even when i install with the latest ISO distro from Feb 10 here ?. http://cdimage.ubuntu.com/releases/18.04.2/release/ubuntu-18.04.2 -server-amd64.iso The above ISO is from Feb 2019 and it should be having an update of the fixed version, but it doesn't!. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
root, version 1:7.6p1-4ubuntu0.1 was published to the archive on November 6th 2018: https://launchpad.net/ubuntu/+source/openssh/1:7.6p1-4ubuntu0.1 https://lists.ubuntu.com/archives/bionic-changes/2018-November/017000.html https://usn.ubuntu.com/3809-1/ A default configuration of Ubuntu 18.04 LTS with unattended-upgrades installed would have received this update within the next 36 hours or so. If you installed before November 6th, then you probably received the update November 6th or 7th. If you installed after November 6th, then you probably received the update during installation. You can check /var/log/dpkg.log* files to find the exact date and time you received the update. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
@seth, apt-upgrade doesnt update even in 18.04, I had to compile new ver 7.9p1 and replace the sshd bin file..!, don't know why it is still not pushed to the main repo!. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
root: sudo apt update && sudo apt upgrade Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
How to get the fix installed via apt?. any link..? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
** Changed in: openssh (Ubuntu Cosmic) Status: In Progress => Fix Released ** Changed in: openssh (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
This bug was fixed in the package openssh - 1:7.6p1-4ubuntu0.1 --- openssh (1:7.6p1-4ubuntu0.1) bionic-security; urgency=medium [ Ryan Finnie ] * SECURITY UPDATE: OpenSSH User Enumeration Vulnerability (LP: #1794629) - debian/patches/CVE-2018-15473.patch: delay bailout for invalid authenticating user until after the packet containing the request has been fully parsed. - CVE-2018-15473 -- leo.barb...@canonical.com (Leonidas S. Barbosa) Mon, 05 Nov 2018 08:51:29 -0300 ** Changed in: openssh (Ubuntu Bionic) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
This bug was fixed in the package openssh - 1:7.2p2-4ubuntu2.6 --- openssh (1:7.2p2-4ubuntu2.6) xenial-security; urgency=medium [ Ryan Finnie ] * SECURITY UPDATE: OpenSSH User Enumeration Vulnerability (LP: #1794629) - debian/patches/CVE-2018-15473.patch: delay bailout for invalid authenticating user until after the packet containing the request has been fully parsed. - CVE-2018-15473 * SECURITY UPDATE: Privsep process chrashing via an out-of-sequence - debian/patches/CVE-2016-10708.patch: fix in kex.c, pack.c. - CVE-2016-10708 -- leo.barb...@canonical.com (Leonidas S. Barbosa) Thu, 01 Nov 2018 16:16:02 -0300 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
This bug was fixed in the package openssh - 1:6.6p1-2ubuntu2.11 --- openssh (1:6.6p1-2ubuntu2.11) trusty-security; urgency=medium * SECURITY UPDATE: OpenSSH User Enumeration Vulnerability (LP: #1794629) - debian/patches/CVE-2018-15473.patch: delay bailout for invalid authenticating user until after the packet containing the request has been fully parsed. - CVE-2018-15473 [ Leonidas S. Barbosa ] * SECURITY UPDATE: Privsep process chrashing via an out-of-sequence - debian/patches/CVE-2016-10708.patch: fix in kex.c, pack.c. - CVE-2016-10708 -- Ryan Finnie Sat, 13 Oct 2018 23:31:08 + ** Changed in: openssh (Ubuntu Trusty) Status: In Progress => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-10708 ** Changed in: openssh (Ubuntu Xenial) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
** Also affects: openssh (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: openssh (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: openssh (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: openssh (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: openssh (Ubuntu Trusty) Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab) ** Changed in: openssh (Ubuntu Xenial) Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab) ** Changed in: openssh (Ubuntu Bionic) Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab) ** Changed in: openssh (Ubuntu Cosmic) Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab) ** Changed in: openssh (Ubuntu) Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab) ** Changed in: openssh (Ubuntu Trusty) Status: New => In Progress ** Changed in: openssh (Ubuntu Xenial) Status: New => In Progress ** Changed in: openssh (Ubuntu Bionic) Status: New => In Progress ** Changed in: openssh (Ubuntu Cosmic) Status: New => In Progress ** Changed in: openssh (Ubuntu) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
** Changed in: openssh (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
Hi, FYI I checked with the Security Team and this CVE seems considered low prio. But the ubuntu-security-sponsor is subscribed so the will get to consider it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
** Patch added: "lp1794629-artful.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+attachment/5200768/+files/lp1794629-artful.debdiff ** Patch removed: "bionic-upstream-delay-bailout-for-invalid-authenticating-user.patch" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+attachment/5200217/+files/bionic-upstream-delay-bailout-for-invalid-authenticating-user.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
** Patch added: "lp1794629-trusty.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+attachment/5200766/+files/lp1794629-trusty.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
** Patch added: "lp1794629-bionic.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+attachment/5200767/+files/lp1794629-bionic.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
All debdiffs tested in the wild (except artful). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
** Patch added: "lp1794629-xenial.debdiff" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+attachment/5200765/+files/lp1794629-xenial.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
The attachment "bionic-upstream-delay-bailout-for-invalid- authenticating-user.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openssh (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
FYI, Qualys is now considering CVE-2018-15473 a PCI-DSS fail condition (QID: 38726). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
** Patch added: "bionic-upstream-delay-bailout-for-invalid-authenticating-user.patch" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+attachment/5200217/+files/bionic-upstream-delay-bailout-for-invalid-authenticating-user.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
