Brahmanand Reddy wrote: > CVE-2018-15473 is a "user existence oracle bug which does not meet our > criteria for security advisories". > > You mean this vulnerability which will impact/affects only for Oracle > base? kindly confirm.
"Oracle" in the ancient Greek sense of a person through whom a deity speaks and/or reveals hidden knowledge[1]. Quoting Damien Miller[2]: "I and the other OpenSSH developers don't consider this class of bug a significant vulnerability... this isn't "user enumeration" because it doesn't yield the ability to enumerate or list accounts. It's an oracle; allowing an attacker to make brute-force guesses of account names and verify whether they exist on the target system." [1] https://www.merriam-webster.com/dictionary/oracle [2] https://www.openwall.com/lists/oss-security/2018/08/24/1 ----------------------------------------------------------------- This message and any files transmitted within are intended solely for the addressee or its representative and may contain company proprietary information. If you are not the intended recipient, notify the sender immediately and delete this message. Publication, reproduction, forwarding, or content disclosure is prohibited without the consent of the original sender and may be unlawful. Concurrent Technologies Corporation and its Affiliates. www.ctc.com 1-800-282-4392 ----------------------------------------------------------------- _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
