Root, version 1:7.6p1-4ubuntu0.1 included the fix for CVE-2018-15473. Version 1:7.6p1-4ubuntu0.2 is included in the disc image ubuntu-18.04.2 -server-amd64:
$ sha256sum ubuntu-18.04.2-server-amd64.iso a2cb36dc010d98ad9253ea5ad5a07fd6b409e3412c48f1860536970b073c98f5 ubuntu-18.04.2-server-amd64.iso $ bsdtar tf ubuntu-18.04.2-server-amd64.iso | grep openssh pool/main/o/openssh pool/main/o/openssh/openssh-client-udeb_7.6p1-4ubuntu0.2_amd64.udeb pool/main/o/openssh/openssh-client_7.6p1-4ubuntu0.2_amd64.deb pool/main/o/openssh/openssh-server-udeb_7.6p1-4ubuntu0.2_amd64.udeb pool/main/o/openssh/openssh-server_7.6p1-4ubuntu0.2_amd64.deb pool/main/o/openssh/openssh-sftp-server_7.6p1-4ubuntu0.2_amd64.deb pool/main/o/openssh/ssh_7.6p1-4ubuntu0.2_all.deb 1:7.6p1-4ubuntu0.2 includes the fix from 1:7.6p1-4ubuntu0.1 and fixes three more CVEs: - CVE-2018-20685 - CVE-2019-6109 - CVE-2019-6111 During the install, you have the option of downloading and installing updates. These additional updates include openssh version 1:7.6p1-4ubuntu0.3 which includes addition fixes for one CVE: - CVE-2019-6111 Thanks ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20685 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6109 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6111 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Trusty: Fix Released Status in openssh source package in Xenial: Fix Released Status in openssh source package in Bionic: Fix Released Status in openssh source package in Cosmic: Fix Released Bug description: https://nvd.nist.gov/vuln/detail/CVE-2018-15473 OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. Fixed in Debian: https://www.debian.org/security/2018/dsa-4280 Currently pending triage? https://people.canonical.com/~ubuntu- security/cve/2018/CVE-2018-15473.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
