Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 433
Alerts This Week
Warning Icon 1 433

SUSE Linux 12: 2018:3776-1 Moderate: Openssh User Issues And Fixes

suse
Calendar Grey November 16, 2018
Dist Suse Esm H88
A recent OpenSSH update tackles various vulnerabilities such as user enumeration and introduces significant security improvements tailored for SUSE Linux environments.
An update that solves two vulnerabilities and has three fixes is now available

Summary

This update for openssh fixes the following issues: Following security issues have been fixed: - CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability. (bsc#1106163) - CVE-2018-15473: OpenSSH was prone to a user existance oracle vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. (bsc#1105010) Also the following security related hardening change was done: - Remove arcfour,cast,blowfish from list of default ciphers. (bsc#982273)

References

#1091396 #1105010 #1106163 #964336 #982273

Cross- CVE-2018-15473 CVE-2018-15919

Affected Products:

SUSE Linux Enterprise Server 12-SP1-LTSS

SUSE Linux Enterprise Server 12-LTSS

https://www.suse.com/security/cve/CVE-2018-15473.html

https://www.suse.com/security/cve/CVE-2018-15919.html

https://bugzilla.suse.com/1091396

https://bugzilla.suse.com/1105010

https://bugzilla.suse.com/1106163

https://bugzilla.suse.com/964336

https://bugzilla.suse.com/982273

Announcement ID: SUSE-SU-2018:3776-1
Rating: moderate

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.