[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] OpenSSH Username Enumeration
From: Qualys Security Advisory <qsa () qualys ! com>
Date: 2018-08-23 11:36:05
Message-ID: 20180823113605.GA3397 () localhost ! localdomain
[Download RAW message or body]
Hi all,
On Thu, Aug 23, 2018 at 09:50:08AM +0200, Dariusz Tytko wrote:
> We have published our writeup
> https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/
Great job, and thank you very much for reporting this to the OpenSSH
team in the first place!
Here is our (rough) timeline:
- On July 31,
https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
is committed publicly, but does not explain the reasons for this
change, and does not flag it as a security fix.
- We read this commit about two weeks later, and realize its security
implications; we do not know whether distros@vs.openwall.org have been
contacted about this or not.
- We therefore send our findings to openssh@openssh.com and
distros@vs.openwall.org, on August 15.
- About 20 minutes later (!), Solar Designer confirms that we should
post this to oss-security@lists.openwall.com right away (as per
https://oss-security.openwall.org/wiki/mailing-lists/distros): indeed,
the issue is already public (if we spotted this commit, then others
did, too).
- About one hour later, we post our findings to oss-security.
Again, we thank Dariusz Tytko for reporting this issue,
distros@vs.openwall.org for their quick response, and the OpenSSH team
for all their hard and inspiring work. With best regards,
--
the Qualys Security Advisory team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic