[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] OpenSSH Username Enumeration
From:       Qualys Security Advisory <qsa () qualys ! com>
Date:       2018-08-23 11:36:05
Message-ID: 20180823113605.GA3397 () localhost ! localdomain
[Download RAW message or body]

Hi all,

On Thu, Aug 23, 2018 at 09:50:08AM +0200, Dariusz Tytko wrote:
> We have published our writeup
> https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/

Great job, and thank you very much for reporting this to the OpenSSH
team in the first place!

Here is our (rough) timeline:

- On July 31,
  https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
  is committed publicly, but does not explain the reasons for this
  change, and does not flag it as a security fix.

- We read this commit about two weeks later, and realize its security
  implications; we do not know whether distros@vs.openwall.org have been
  contacted about this or not.

- We therefore send our findings to openssh@openssh.com and
  distros@vs.openwall.org, on August 15.

- About 20 minutes later (!), Solar Designer confirms that we should
  post this to oss-security@lists.openwall.com right away (as per
  https://oss-security.openwall.org/wiki/mailing-lists/distros): indeed,
  the issue is already public (if we spotted this commit, then others
  did, too).

- About one hour later, we post our findings to oss-security.

Again, we thank Dariusz Tytko for reporting this issue,
distros@vs.openwall.org for their quick response, and the OpenSSH team
for all their hard and inspiring work. With best regards,

-- 
the Qualys Security Advisory team
[prev in list] [next in list] [prev in thread] [next in thread]