Hi,
The only thing an attacker can do with this vulnerability is DoS their
own connection. As such, it is not considered a security issue either by
the upstream OpenSSH project, or by the Ubuntu security team.
Like other distros, we have no plans to fix this issue in our stable
releases.
** Changed in: openssh (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1891123
Title:
Openssh vulnerability on ubuntu 16.04
Status in openssh package in Ubuntu:
Won't Fix
Bug description:
Hi
This is regarding the openssh vulnerability reported in our environment
during security scan.
Our environment base is ubuntu 16.04 Xenial.
Vulnerability report says that openssh is vulnerable in 16.04.
It says:
** DISPUTED ** The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x
through 7.3 allows remote attackers to cause a denial of service (memory
consumption) by sending many duplicate KEXINIT requests.
NOTE: a third party reports that "OpenSSH upstream does not consider this as
a security issue."
As per below link this is ignored on 16.04. But as per the vulnerability scan
in our environment this is reported as high priority issue.
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8858.html
And this Vulnerability is reported to be fixed from 18.04 ubuntu releases in
openssh 7.3 later versions.
But in 16.04 the latest openssh version is of 7.2 As per
https://launchpad.net/ubuntu/xenial/+source/openssh
Can we even expect to be get this openssh vulnerability fixed even in
16.04?
Best Regards,
Sowmya Divvi
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1891123/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
