Date: Thu, 25 Apr 2019 11:46:34 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org> To: Brahmanand Reddy <brahma.gdb@gmail.com> Cc: openssh@openssh.com, FreeBSD-security@freebsd.org Subject: Re: POC and patch for the CVE-2018-15473 Message-ID: <86ftq6to1x.fsf@next.des.no> In-Reply-To: <CAKsRH7njoE9VD%2Bgxg6ZrZ4vPT_4b9-Hnz%2B1b8fVeQVcjse91mQ@mail.gmail.com> (Brahmanand Reddy's message of "Wed, 24 Apr 2019 16:57:37 %2B0530") References: <CAKsRH7mBLc3FTJ08uETkniG=wdwyaZrvpYYJAxYmj%2BpPRU4ibw@mail.gmail.com> <86mukfhfb3.fsf@next.des.no> <CAKsRH7njoE9VD%2Bgxg6ZrZ4vPT_4b9-Hnz%2B1b8fVeQVcjse91mQ@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
Brahmanand Reddy <brahma.gdb@gmail.com> writes: > CVE-2018-15473 is a "user existence oracle bug which does not meet our > criteria for security advisories". > > You mean this vulnerability which will impact/affects only for Oracle > base? . kindly confirm. An oracle vulnerability is a type of information disclosure bug which does not directly expose information but can be used to confirm guesses. In this case, the bug allows you to confirm the existence of an account by attempting to log into it with a random password. It does not actually give you a list of existing accounts, as “account enumeration” would suggest. DES -- Dag-Erling Smørgrav - des@FreeBSD.orghelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86ftq6to1x.fsf>