Thanks for taking the time to report this bug and make Ubuntu better. You can see more information about these CVEs by using the CVE tracker. See https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8858.html https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10009.html https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10010.html https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10011.html https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10012.html
CVE-2016-8858 is disputed by upstream since the attacker can only DOS their own connection. CVE-2016-10012 is related to pre-auth compression which has been disabled by default for > 10 years. CVE-2016-10010 is only impactful if privilege separation is not used, however, privilege separation is enabled by default. CVE-2016-10009 and CVE-2016-20011 are both low priority. These issues are on the list to be fixed and will be fixed as soon as possible based on their priority. Will your scanning software allow you to annotate findings? ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-20011 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1732172 Title: [CVE] Security Vulnerabilities in OpenSSH on Ubuntu 14.04 Status in openssh package in Ubuntu: New Bug description: Does anyone know when the following OpenSSH venerabilities will be patched on Ubuntu 14.04 CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-8858 As these are coming up repeatedly on or security scans To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1732172/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp