Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 433
Alerts This Week
Warning Icon 1 433

SUSE Linux 11-SP4: SUSE-SU-2018:3781-1 Moderate: OpenSSH User Enumeration

suse
Calendar Grey November 16, 2018
Dist Suse Esm H88
SUSE provides a significant security patch for OpenSSH rectifying user enumeration vulnerabilities while bolstering protocol integrity.
An update that solves two vulnerabilities and has three fixes is now available

Summary

This update for openssh fixes the following issues: Following security issues have been fixed: - CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability. (bsc#1106163) - CVE-2018-15473: OpenSSH was prone to a user existance oracle vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. (bsc#1105010) Also the following security related hardening change was done: - Removed arcfour,blowfish,cast from list of default ciphers as they are

References

#1091396 #1105010 #1106163 #964336 #982273

Cross- CVE-2018-15473 CVE-2018-15919

Affected Products:

SUSE Linux Enterprise Server 11-SP4

SUSE Linux Enterprise Debuginfo 11-SP4

https://www.suse.com/security/cve/CVE-2018-15473.html

https://www.suse.com/security/cve/CVE-2018-15919.html

https://bugzilla.suse.com/1091396

https://bugzilla.suse.com/1105010

https://bugzilla.suse.com/1106163

https://bugzilla.suse.com/964336

https://bugzilla.suse.com/982273

Announcement ID: SUSE-SU-2018:3781-1
Rating: moderate

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.