From owner-freebsd-security@freebsd.org  Wed Apr 24 10:24:03 2019
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3D11D159446C
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Wed, 24 Apr 2019 10:24:03 +0000 (UTC) (envelope-from des@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org
 [IPv6:2610:1c1:1:606c::24b:4])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "smtp.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id D689186493;
 Wed, 24 Apr 2019 10:24:02 +0000 (UTC) (envelope-from des@freebsd.org)
Received: from next.des.no (cm-84.215.56.209.getinternet.no [84.215.56.209])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate) (Authenticated sender: des)
 by smtp.freebsd.org (Postfix) with ESMTPSA id 853CA2A50D;
 Wed, 24 Apr 2019 10:24:02 +0000 (UTC) (envelope-from des@freebsd.org)
Received: by next.des.no (Postfix, from userid 1001)
 id EF15985A1; Wed, 24 Apr 2019 12:24:00 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org>
To: Brahmanand Reddy <brahma.gdb@gmail.com>
Cc: openssh@openssh.com,  FreeBSD-security@freebsd.org
Subject: Re: POC and patch for the CVE-2018-15473
In-Reply-To: <CAKsRH7mBLc3FTJ08uETkniG=wdwyaZrvpYYJAxYmj+pPRU4ibw@mail.gmail.com>
 (Brahmanand Reddy's message of "Tue, 23 Apr 2019 06:46:15 +0530")
References: <CAKsRH7mBLc3FTJ08uETkniG=wdwyaZrvpYYJAxYmj+pPRU4ibw@mail.gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (berkeley-unix)
Date: Wed, 24 Apr 2019 12:24:00 +0200
Message-ID: <86mukfhfb3.fsf@next.des.no>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: D689186493
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-2.98 / 15.00];
 local_wl_from(0.00)[freebsd.org];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[];
 NEURAL_HAM_SHORT(-0.98)[-0.981,0];
 ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]
X-Mailman-Approved-At: Wed, 24 Apr 2019 10:29:59 +0000
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2019 10:24:03 -0000

Brahmanand Reddy <brahma.gdb@gmail.com> writes:
> regarding the CVE-2018-15473 dint find find official patch from the opens=
sh
> on freebsd OS base.

CVE-2018-15473 is a user existence oracle bug which does not meet our
criteria for security advisories.

FreeBSD 12 has OpenSSH 7.8, which is patched.  FreeBSD 11 has OpenSSH
7.5, which is not.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org