Bug 23492 - openssh new security issue CVE-2018-15919
Summary: openssh new security issue CVE-2018-15919
Status: RESOLVED WONTFIX
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Bruno Cornec
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO, MGA7TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-28 13:08 CEST by David Walser
Modified: 2021-01-04 18:15 CET (History)
2 users (show)

See Also:
Source RPM: openssh-7.8p1-1.mga7.src.rpm
CVE:
Status comment: Not fixed upstream as of mid 2020


Attachments

Description David Walser 2018-08-28 13:08:30 CEST
Another user enumeration issue has been announced:
http://openwall.com/lists/oss-security/2018/08/28/2

I think the message above contains a suggested patch.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-28 13:08:45 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Bruno Cornec 2018-10-11 01:33:40 CEST
CVE-2018-15919 but no update yet as it seems.

CC: (none) => bruno

Comment 2 David Walser 2018-11-08 18:38:58 CET
SUSE has issued an advisory for this on October 29:
http://lists.suse.com/pipermail/sle-security-updates/2018-October/004804.html
Comment 3 Bruno Cornec 2018-11-09 02:01:33 CET
Some of the BR mentioned are not visible (even when I login) for me:
https://bugzilla.suse.com/show_bug.cgi?id=1105180
https://bugzilla.suse.com/show_bug.cgi?id=1106726
Not sure whether they are related to this CVE.

This one: https://bugzilla.suse.com/show_bug.cgi?id=1106163 is related to it but doesn't provide directly a patch. 
And the CVE itself: https://www.suse.com/security/cve/CVE-2018-15919/ mentions the patchname http://download.suse.com/patch/finder/#familyId=&productId=&dateRange=&startDate=&endDate=&priority=&distribution=&architecture=&keywords=SUSE-SLE-Module-Basesystem-15-2018-2619 for SLES 15 which could be resued, but again is not yet available.
Comment 4 David Walser 2018-11-09 18:19:30 CET
Yeah I've never been able to find SUSE patches.  Hopefully the update will be issued for openSUSE 15 soon; then we'll have access to it through build.opensuse.org.
Comment 5 David Walser 2018-11-20 23:19:49 CET
openSUSE has issued an advisory for this on November 17:
https://lists.opensuse.org/opensuse-updates/2018-11/msg00089.html

openssh-7.6p1-bsc_1111776-CVE-2018-15919.patch is apparently the name of the patch, but it appears to be in a tarball inside the SRPM and not available through build.opensuse.org.

Try:
http://download.opensuse.org/update/leap/15.0/oss/src/openssh-7.6p1-lp150.8.3.1.src.rpm
Comment 6 Bruno Cornec 2018-11-24 02:07:39 CET
Link seems to not work, however this one, more recent, is:
https://www.rpmfind.net/linux/RPM/opensuse/updates/leap/15.0/oss/src/openssh-7.6p1-lp150.8.6.1.src.html

Assignee: guillomovitch => bruno
Status: NEW => ASSIGNED

Comment 7 Bruno Cornec 2018-11-24 02:15:09 CET
However the patch mentioned upper is not in that src.rpm.
The most recent patch there is from the 26th of october.

The only one mentioning a 2018 patch is openssh-7.6p1-CVE-2018-15473.patch

And SUSE BR https://bugzilla.suse.com/show_bug.cgi?id=1106163 mentions that anyway the patch for CVE-2018-15919 was reverted (due to a bug that can't be seen.

SO I guess we have to wait more for a correct patch to be produced
Comment 8 David Walser 2018-11-24 02:17:10 CET
Yeah the new update is particularly unhelpful :o)

https://lists.opensuse.org/opensuse-updates/2018-11/msg00113.html
David Walser 2019-02-03 02:02:21 CET

Status comment: (none) => Not fixed upstream as of end of 2018

David Walser 2019-06-23 19:31:16 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Nicolas Lécureuil 2020-05-22 14:07:47 CEST

Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO
CC: (none) => mageia

David Walser 2020-12-28 17:09:44 CET

Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO

Comment 9 Bruno Cornec 2021-01-04 18:00:07 CET
Do you think this bug also affects mga8 which has 8.4p1 ?
I'd expect not
Comment 10 David Walser 2021-01-04 18:09:19 CET
I haven't seen any more mentions of it, so it's probably still not fixed.
Comment 11 David Walser 2021-01-04 18:15:38 CET
Mitigation:
https://bugzilla.redhat.com/show_bug.cgi?id=1623184#c21

GSSAPIAuthentication is not enabled by default in Mageia.

Upstream and SUSE have WONTFIX'd this, unfortunately:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919
https://ubuntu.com/security/CVE-2018-15919
https://bugzilla.suse.com/show_bug.cgi?id=1106163

Guess I'll close it too until/unless they change their minds.

Status comment: Not fixed upstream as of end of 2018 => Not fixed upstream as of mid 2020
Resolution: (none) => WONTFIX
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.