[Bug 1934501] Re: CVE-2018-15473 patch introduce user enumeration vulnerability
Thanks, Kazza. That certainly helped. I also had a word with Marc and we reached to the conclusion that Stretch isn't affected with this backporting problem. Thanks, again! \o/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1934501 Title: CVE-2018-15473 patch introduce user enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1934501] Re: CVE-2018-15473 patch introduce user enumeration vulnerability
Hello Utkarsh, I've just quickly run through the steps in the original bug report against a recent Debian Stretch docker image and as not able to reproduce it. Image tested: $ docker images | grep stretch debianstretch d74a4ce6ed8b 11 days ago 101MB If you are concerned, I suggest looking into the history/VCS logs of: * debian/patches/CVE-2018-15473.patch Then you can know if it traces back to Debian. Hope it help. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1934501 Title: CVE-2018-15473 patch introduce user enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1934501] Re: CVE-2018-15473 patch introduce user enumeration vulnerability
Hi Kazza, Marc, I was wondering if you can repro the same bug in Debian Stretch? Do you have the capacity to test that as well, please? :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1934501 Title: CVE-2018-15473 patch introduce user enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1934501] Re: CVE-2018-15473 patch introduce user enumeration vulnerability
Here's the debconf bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=223683 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1934501 Title: CVE-2018-15473 patch introduce user enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1934501] Re: CVE-2018-15473 patch introduce user enumeration vulnerability
This isn't specific to the openssh update. Debian packages use tools such as debconf that need to write to /tmp to function correctly. ** Bug watch added: Debian Bug tracker #223683 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=223683 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1934501 Title: CVE-2018-15473 patch introduce user enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1934501] Re: CVE-2018-15473 patch introduce user enumeration vulnerability
Hi. I believe my Ubuntu systems just received this patch and I believe it failed to install: Can't exec "/tmp/openssh-server.config.neW0Pf": Permission denied at /usr/share/perl/5.26/IPC/Open3.pm line 178. open2: exec of /tmp/openssh-server.config.neW0Pf configure 1:7.6p1-4ubuntu0.3 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. - I think this is due to the fact I have noexec on /tmp. Is it possible to bundle the changes in the package instead of putting a random temporary file in /tmp and attempt to execute it? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1934501 Title: CVE-2018-15473 patch introduce user enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1934501] Re: CVE-2018-15473 patch introduce user enumeration vulnerability
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1934501 Title: CVE-2018-15473 patch introduce user enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1934501/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs