Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could
be used by remote attackers to detect existence of users on a target system
when GSS2 is in use. NOTE: the discoverer states 'We understand that the
OpenSSH developers do not want to treat such a username enumeration (or
"oracle") as a vulnerability.'
 sarnold> openssh-ssh1 is provided for compatibility with old devices that
  cannot be upgraded to modern protocols. Thus we may not provide security
  support for this package if doing so would prevent access to equipment.
 mdeslaur> SUSE reverted the fix for this issue because of a regression
 mdeslaur> per the post to oss-security, upstream doesn't conside this to
 mdeslaur> be a security issue, and as of 2019-01-31, there is no upstream
 mdeslaur> fix for this
Ubuntu 12.04 ESM (Precise Pangolin):deferred (2019-01-31)
Ubuntu 14.04 LTS (Trusty Tahr):deferred (2019-01-31)
Ubuntu 16.04 LTS (Xenial Xerus):deferred (2019-01-31)
Ubuntu 18.04 LTS (Bionic Beaver):deferred (2019-01-31)
Ubuntu 18.10 (Cosmic Cuttlefish):deferred (2019-01-31)
Ubuntu 19.04 (Disco Dingo):deferred (2019-01-31)
Upstream:ignored (frozen on openssh 7.5p)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 18.10 (Cosmic Cuttlefish):needs-triage
Ubuntu 19.04 (Disco Dingo):needs-triage
More Information

Updated: 2019-01-31 13:14:23 UTC (commit 0eb743686d54cdfca55fbe749c83484450cb9152)