Root, aha! We've finally uncovered the root of the problem. (Sorry. I can't help myself. It's Friday afternoon.)
While Qualys' TLS scanner is a top-notch tool that I use regularly, their "security scanner" is sadly not. They have built a tool that checks version numbers. This is not ideal, because the clear majority of Linux systems do not do wholesale version updates but instead backport specific security fixes: https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions https://www.debian.org/security/faq#version https://wiki.centos.org/FAQ/General#head-3dad8cb98ac535185e58e882a23ca4b096cbff2f https://access.redhat.com/security/updates/backporting These sorts of security scanners would be more useful if everyone built their entire systems from scratch. Anyway, please ask Qualys to consider consuming our OVAL data: https://people.canonical.com/~ubuntu-security/oval/ or parsing our database directly: https://git.launchpad.net/ubuntu-cve-tracker Both of these approaches would give better results. (There are tradeoffs involved. They are welcome to contact us at secur...@ubuntu.com if they would like to discuss the tradeoffs.) Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
