openssh: CVE-2018-15473 - Githubissues

AOSC-Dev / aosc-os-abbs

ABBS/ACBS tree for AOSC OS package metadata, build configuration, scripts, and patches

https://packages.aosc.io

GNU General Public License v2.0

102 stars 80 forks source link

openssh: CVE-2018-15473 #1333

Closed l2dy closed 6 years ago

l2dy commented 6 years ago

https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 https://github.com/openssh/openssh-portable/commit/74287f5df9966a0648b4a68417451dd18f079ab8

MingcongBai commented 6 years ago

Having trouble backporting the patch listed...

MingcongBai commented 6 years ago

@l2dy Is there any other distributions attempting to patch this issue, and will this issue get a CVE?

l2dy commented 6 years ago

We believe that this issue warrants a CVE; it affects all operating systems, all OpenSSH versions (we went back as far as OpenSSH 2.3.0, released in November 2000), and is easier to exploit than previous OpenSSH username enumerations (which were all timing attacks) [...]

l2dy commented 6 years ago

Cross-References: DSA-4280-1

MingcongBai commented 6 years ago

Fix available from here.

MingcongBai commented 6 years ago

Marking upgrade, difficulties with backporting patch to 7.6.

MingcongBai commented 6 years ago

Fixed with https://github.com/AOSC-Dev/aosc-os-abbs/commit/35ee57617c7089abc3e17710e6758180f7e421a9. Closing.

l2dy commented 6 years ago

Use AOSA-2018-0374.

l2dy commented 6 years ago

Cross-References: GLSA 201810-03