oss-sec mailing list archives
Re: OpenSSH Username Enumeration
From: Qualys Security Advisory <qsa () qualys com>
Date: Thu, 23 Aug 2018 04:36:05 -0700
Hi all, On Thu, Aug 23, 2018 at 09:50:08AM +0200, Dariusz Tytko wrote:
We have published our writeup https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/
Great job, and thank you very much for reporting this to the OpenSSH team in the first place! Here is our (rough) timeline: - On July 31, https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 is committed publicly, but does not explain the reasons for this change, and does not flag it as a security fix. - We read this commit about two weeks later, and realize its security implications; we do not know whether distros () vs openwall org have been contacted about this or not. - We therefore send our findings to openssh () openssh com and distros () vs openwall org, on August 15. - About 20 minutes later (!), Solar Designer confirms that we should post this to oss-security () lists openwall com right away (as per https://oss-security.openwall.org/wiki/mailing-lists/distros): indeed, the issue is already public (if we spotted this commit, then others did, too). - About one hour later, we post our findings to oss-security. Again, we thank Dariusz Tytko for reporting this issue, distros () vs openwall org for their quick response, and the OpenSSH team for all their hard and inspiring work. With best regards, -- the Qualys Security Advisory team
Current thread:
- OpenSSH Username Enumeration Qualys Security Advisory (Aug 15)
- Re: OpenSSH Username Enumeration Matthew Daley (Aug 16)
- Re: OpenSSH Username Enumeration Salvatore Bonaccorso (Aug 17)
- Re: OpenSSH Username Enumeration Dariusz Tytko (Aug 17)
- Re: OpenSSH Username Enumeration Dariusz Tytko (Aug 23)
- Re: OpenSSH Username Enumeration Solar Designer (Aug 23)
- Re: OpenSSH Username Enumeration Qualys Security Advisory (Aug 23)