CVE-2018-15919

Priority
Description
Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could
be used by remote attackers to detect existence of users on a target system
when GSS2 is in use. NOTE: the discoverer states 'We understand that the
OpenSSH developers do not want to treat such a username enumeration (or
"oracle") as a vulnerability.'
Notes
sarnoldopenssh-ssh1 is provided for compatibility with old devices that
cannot be upgraded to modern protocols. Thus we may not provide security
support for this package if doing so would prevent access to equipment.
mdeslaurSUSE reverted the fix for this issue because of a regression

per the post to oss-security, upstream doesn't conside this to
be a security issue, and as of 2020-07-07, there is no upstream
fix for this. We will not be fixing this issue in Ubuntu.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):ignored
Ubuntu 14.04 ESM (Trusty Tahr):ignored
Ubuntu 16.04 LTS (Xenial Xerus):ignored
Ubuntu 18.04 LTS (Bionic Beaver):ignored
Ubuntu 20.04 LTS (Focal Fossa):ignored
Ubuntu 20.10 (Groovy Gorilla):ignored
Package
Upstream:ignored (frozen on openssh 7.5p)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):ignored
Ubuntu 20.04 LTS (Focal Fossa):ignored
Ubuntu 20.10 (Groovy Gorilla):ignored
More Information

Updated: 2020-09-10 05:51:52 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)