A security issue fixed upstream in OpenSSH has been announced on August 15: http://openwall.com/lists/oss-security/2018/08/15/5 The commit fixing the issue is linked from the message above. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => guillomovitch
Fixed in cauldron by openssh-7.7p1-1.mga7.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
This has been assigned CVE-2018-15473: http://openwall.com/lists/oss-security/2018/08/17/8
Summary: openssh new user enumeration security issue => openssh new user enumeration security issue (CVE-2018-15473)
Patched package uploaded by Guillaume. Advisory to come later. openssh-7.5p1-2.2.mga6 openssh-clients-7.5p1-2.2.mga6 openssh-server-7.5p1-2.2.mga6 openssh-askpass-common-7.5p1-2.2.mga6 openssh-askpass-7.5p1-2.2.mga6 openssh-askpass-gnome-7.5p1-2.2.mga6 openssh-ldap-7.5p1-2.2.mga6 from openssh-7.5p1-2.2.mga6.src.rpm
Assignee: guillomovitch => qa-bugsCC: (none) => guillomovitch
Full writeup of the issue: https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/
Advisory, added to svn: type: security subject: Updated openssh packages fix security vulnerability CVE: - CVE-2018-15473 src: 6: core: - openssh-7.5p1-2.2.mga6 description: | OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c (CVE-2018-15473). references: - https://bugs.mageia.org/show_bug.cgi?id=23452 - https://openwall.com/lists/oss-security/2018/08/15/5 - https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/
Keywords: (none) => advisoryCC: (none) => tmb
works on mga infra
Whiteboard: (none) => MGA6-64-OK
Installed and tested without issues. Test included: - client and server shell (bash) session. - scp files to/from a server. - rsync files to/from a server. - pssh to various servers. - port forwarding (local port to remote cpanel listening on lo device, local port to remote mysql listening on lo device). - ed25519 key authentication. - ssh-agent - ssh-add local and remote systems: Mageia 6, x86_64, Intel CPU or AMD CPU. $ uname -a Linux marte 4.14.65-desktop-1.mga6 #1 SMP Sat Aug 18 14:50:29 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep openssh | sort openssh-7.5p1-2.2.mga6 openssh-askpass-7.5p1-2.2.mga6 openssh-askpass-common-7.5p1-2.2.mga6 openssh-askpass-qt4-1.0.1-12.mga6 openssh-askpass-qt5-2.0.3-1.mga6 openssh-clients-7.5p1-2.2.mga6 openssh-server-7.5p1-2.2.mga6
CC: (none) => mageia
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0363.html
Status: NEW => RESOLVEDResolution: (none) => FIXED