Another user enumeration issue has been announced: http://openwall.com/lists/oss-security/2018/08/28/2 I think the message above contains a suggested patch. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
CVE-2018-15919 but no update yet as it seems.
CC: (none) => bruno
SUSE has issued an advisory for this on October 29: http://lists.suse.com/pipermail/sle-security-updates/2018-October/004804.html
Some of the BR mentioned are not visible (even when I login) for me: https://bugzilla.suse.com/show_bug.cgi?id=1105180 https://bugzilla.suse.com/show_bug.cgi?id=1106726 Not sure whether they are related to this CVE. This one: https://bugzilla.suse.com/show_bug.cgi?id=1106163 is related to it but doesn't provide directly a patch. And the CVE itself: https://www.suse.com/security/cve/CVE-2018-15919/ mentions the patchname http://download.suse.com/patch/finder/#familyId=&productId=&dateRange=&startDate=&endDate=&priority=&distribution=&architecture=&keywords=SUSE-SLE-Module-Basesystem-15-2018-2619 for SLES 15 which could be resued, but again is not yet available.
Yeah I've never been able to find SUSE patches. Hopefully the update will be issued for openSUSE 15 soon; then we'll have access to it through build.opensuse.org.
openSUSE has issued an advisory for this on November 17: https://lists.opensuse.org/opensuse-updates/2018-11/msg00089.html openssh-7.6p1-bsc_1111776-CVE-2018-15919.patch is apparently the name of the patch, but it appears to be in a tarball inside the SRPM and not available through build.opensuse.org. Try: http://download.opensuse.org/update/leap/15.0/oss/src/openssh-7.6p1-lp150.8.3.1.src.rpm
Link seems to not work, however this one, more recent, is: https://www.rpmfind.net/linux/RPM/opensuse/updates/leap/15.0/oss/src/openssh-7.6p1-lp150.8.6.1.src.html
Assignee: guillomovitch => brunoStatus: NEW => ASSIGNED
However the patch mentioned upper is not in that src.rpm. The most recent patch there is from the 26th of october. The only one mentioning a 2018 patch is openssh-7.6p1-CVE-2018-15473.patch And SUSE BR https://bugzilla.suse.com/show_bug.cgi?id=1106163 mentions that anyway the patch for CVE-2018-15919 was reverted (due to a bug that can't be seen. SO I guess we have to wait more for a correct patch to be produced
Yeah the new update is particularly unhelpful :o) https://lists.opensuse.org/opensuse-updates/2018-11/msg00113.html
Status comment: (none) => Not fixed upstream as of end of 2018
Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO
Whiteboard: MGA7TOO, MGA6TOO => MGA7TOOCC: (none) => mageia
Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO
Do you think this bug also affects mga8 which has 8.4p1 ? I'd expect not
I haven't seen any more mentions of it, so it's probably still not fixed.
Mitigation: https://bugzilla.redhat.com/show_bug.cgi?id=1623184#c21 GSSAPIAuthentication is not enabled by default in Mageia. Upstream and SUSE have WONTFIX'd this, unfortunately: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919 https://ubuntu.com/security/CVE-2018-15919 https://bugzilla.suse.com/show_bug.cgi?id=1106163 Guess I'll close it too until/unless they change their minds.
Status comment: Not fixed upstream as of end of 2018 => Not fixed upstream as of mid 2020Resolution: (none) => WONTFIXStatus: ASSIGNED => RESOLVED