Alerts This Week
Warning Icon 1 666
Alerts This Week
Warning Icon 1 666

openSUSE Leap 15.0: 2018:3801-1 Moderate: openssh User Enumeration Threat

opensuse
Calendar Grey November 17, 2018
Dist Opensuse Esm H88
Update for openSUSE fixes two issues in openssh, ensuring better security for users. Install recommended patches.
An update that solves two vulnerabilities and has three fixes is now available.

Description

This update for openssh fixes the following issues:

- CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH

could be used by remote attackers to detect existence of users on a

target system when GSS2 is in use. OpenSSH developers do not want to

treat such a username enumeration (or "oracle") as a vulnerability.

(bsc#1106163)

- CVE-2018-15473: OpenSSH was prone to a user existance oracle

vulnerability due to not delaying bailout for an invalid authenticating

user until after the packet containing the request has been fully

parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

(bsc#1105010)

The following non-security issues were fixed:

- Stop leaking File descriptors (bsc#964336)

- sftp-client.c returns wrong error code upon failure (bsc#1091396)

- added pam_keyinit to pam configuration file (bsc#1081947)

This update was imported from the SUSE:SLE-15:Update update project.

Topics%20covered

Topics Covered

security advisory moderate threat openssh openSUSE user existence issue

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1419=1

Package List

- openSUSE Leap 15.0 (i586 x86_64):

openssh-7.6p1-lp150.8.3.1

openssh-cavs-7.6p1-lp150.8.3.1

openssh-cavs-debuginfo-7.6p1-lp150.8.3.1

openssh-debuginfo-7.6p1-lp150.8.3.1

openssh-debugsource-7.6p1-lp150.8.3.1

openssh-fips-7.6p1-lp150.8.3.1

openssh-helpers-7.6p1-lp150.8.3.1

openssh-helpers-debuginfo-7.6p1-lp150.8.3.1

- openSUSE Leap 15.0 (x86_64):

openssh-askpass-gnome-7.6p1-lp150.8.3.1

openssh-askpass-gnome-debuginfo-7.6p1-lp150.8.3.1

References

https://www.suse.com/security/cve/CVE-2018-15473.html

https://www.suse.com/security/cve/CVE-2018-15919.html

https://bugzilla.suse.com/1081947

https://bugzilla.suse.com/1091396

https://bugzilla.suse.com/1105010

https://bugzilla.suse.com/1106163

https://bugzilla.suse.com/964336

--

Announcement ID: openSUSE-SU-2018:3801-1
Rating: moderate
Affected Products: openSUSE Leap 15.0 le.

Topics%20covered

Topics Covered

security advisory moderate threat openssh openSUSE user existence issue

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here