Your submission was sent successfully! Close

CVE-2018-15919

Published: 28 August 2018

Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'

Priority

Low

CVSS 3 base score: 5.3

Status

Package Release Status
openssh
Launchpad, Ubuntu, Debian
bionic Ignored

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored

focal Ignored

precise Ignored

trusty Ignored

upstream Needs triage

xenial Ignored

openssh-ssh1
Launchpad, Ubuntu, Debian
bionic Ignored

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored

focal Ignored

precise Does not exist

trusty Does not exist

upstream Ignored
(frozen on openssh 7.5p)
xenial Does not exist

Notes

AuthorNote
seth-arnold
openssh-ssh1 is provided for compatibility with old devices that
cannot be upgraded to modern protocols. Thus we may not provide security
support for this package if doing so would prevent access to equipment.
mdeslaur
SUSE reverted the fix for this issue because of a regression

per the post to oss-security, upstream doesn't conside this to
be a security issue, and as of 2020-07-07, there is no upstream
fix for this. We will not be fixing this issue in Ubuntu.

References

Bugs