Date: Wed, 24 Apr 2019 09:20:20 -0400 From: "Cameron, Frank J" <cameron@ctc.com> To: Brahmanand Reddy <brahma.gdb@gmail.com> Cc: FreeBSD-security@freebsd.org, openssh@openssh.com Subject: Re: POC and patch for the CVE-2018-15473 Message-ID: <20190424132020.GX32299@linux18.ctc.com> In-Reply-To: <CAKsRH7njoE9VD%2Bgxg6ZrZ4vPT_4b9-Hnz%2B1b8fVeQVcjse91mQ@mail.gmail.com> References: <CAKsRH7mBLc3FTJ08uETkniG=wdwyaZrvpYYJAxYmj%2BpPRU4ibw@mail.gmail.com> <86mukfhfb3.fsf@next.des.no> <CAKsRH7njoE9VD%2Bgxg6ZrZ4vPT_4b9-Hnz%2B1b8fVeQVcjse91mQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Brahmanand Reddy wrote: > CVE-2018-15473 is a "user existence oracle bug which does not meet our > criteria for security advisories". > > You mean this vulnerability which will impact/affects only for Oracle > base? kindly confirm. "Oracle" in the ancient Greek sense of a person through whom a deity speaks and/or reveals hidden knowledge[1]. Quoting Damien Miller[2]: "I and the other OpenSSH developers don't consider this class of bug a significant vulnerability... this isn't "user enumeration" because it doesn't yield the ability to enumerate or list accounts. It's an oracle; allowing an attacker to make brute-force guesses of account names and verify whether they exist on the target system." [1] https://www.merriam-webster.com/dictionary/oracle [2] https://www.openwall.com/lists/oss-security/2018/08/24/1 ----------------------------------------------------------------- This message and any files transmitted within are intended solely for the addressee or its representative and may contain company proprietary information. If you are not the intended recipient, notify the sender immediately and delete this message. Publication, reproduction, forwarding, or content disclosure is prohibited without the consent of the original sender and may be unlawful. Concurrent Technologies Corporation and its Affiliates. www.ctc.com 1-800-282-4392 -----------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190424132020.GX32299>