Thanks for taking the time to report this bug and make Ubuntu better. You can see more information about these CVEs by using the CVE tracker. See https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8858.html https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10009.html https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10010.html https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10011.html https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10012.html
CVE-2016-8858 is disputed by upstream since the attacker can only DOS their own connection. CVE-2016-10012 is related to pre-auth compression which has been disabled by default for > 10 years. CVE-2016-10010 is only impactful if privilege separation is not used, however, privilege separation is enabled by default. CVE-2016-10009 and CVE-2016-20011 are both low priority. These issues are on the list to be fixed and will be fixed as soon as possible based on their priority. Will your scanning software allow you to annotate findings? ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-20011 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732172 Title: [CVE] Security Vulnerabilities in OpenSSH on Ubuntu 14.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1732172/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
