CVE-2018-15919
Published: 28 August 2018
Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'
Priority
Low
CVSS 3 base score: 5.3
Status
| Package | Release | Status |
|---|---|---|
|
openssh Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Ignored
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Ignored
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Ignored
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Ignored
|
|
|
openssh-ssh1 Launchpad, Ubuntu, Debian |
Upstream |
Ignored
(frozen on openssh 7.5p)
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Ignored
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Ignored
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
Notes
| Author | Note |
|---|---|
| seth-arnold | openssh-ssh1 is provided for compatibility with old devices that cannot be upgraded to modern protocols. Thus we may not provide security support for this package if doing so would prevent access to equipment. |
| mdeslaur | SUSE reverted the fix for this issue because of a regression per the post to oss-security, upstream doesn't conside this to be a security issue, and as of 2020-07-07, there is no upstream fix for this. We will not be fixing this issue in Ubuntu. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919
- http://www.openwall.com/lists/oss-security/2018/08/27/2
- http://seclists.org/oss-sec/2018/q3/180
- NVD
- Launchpad
- Debian