CVE-2018-15919

Published: 28 August 2018

Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'

Priority

Low

CVSS 3 base score: 5.3

Status

Package Release Status
openssh
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Ignored

Ubuntu 20.04 LTS (Focal Fossa) Ignored

Ubuntu 18.04 LTS (Bionic Beaver) Ignored

Ubuntu 16.04 LTS (Xenial Xerus) Ignored

Ubuntu 14.04 ESM (Trusty Tahr) Ignored

openssh-ssh1
Launchpad, Ubuntu, Debian
Upstream Ignored
(frozen on openssh 7.5p)
Ubuntu 20.10 (Groovy Gorilla) Ignored

Ubuntu 20.04 LTS (Focal Fossa) Ignored

Ubuntu 18.04 LTS (Bionic Beaver) Ignored

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Notes

AuthorNote
seth-arnold
openssh-ssh1 is provided for compatibility with old devices that
cannot be upgraded to modern protocols. Thus we may not provide security
support for this package if doing so would prevent access to equipment.
mdeslaur
SUSE reverted the fix for this issue because of a regression

per the post to oss-security, upstream doesn't conside this to
be a security issue, and as of 2020-07-07, there is no upstream
fix for this. We will not be fixing this issue in Ubuntu.

References

Bugs