On Mon 20/8/2018, at 11:55 pm, Matt Johnston <m...@ucc.asn.au> wrote: > > I can confirm Dropbear has the same problem, probably all versions. I should > have a patch in the next couple of days. > > This allows someone to remotely know whether a particular username exists or > not on a server. In some circumstances that could be a problem, though by > itself it doesn't allow exploitation of a server.
This should be fixed by https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00 , a CVE number is CVE-2018-15599 Cheers, Matt