Public bug reported: Hi
This is regarding the openssh vulnerability reported in our environment during security scan. Our environment base is ubuntu 16.04 Xenial. Vulnerability report says that openssh is vulnerable in 16.04. It says: ** DISPUTED ** The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue." As per below link this is ignored on 16.04. But as per the vulnerability scan in our environment this is reported as high priority issue. https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8858.html And this Vulnerability is reported to be fixed from 18.04 ubuntu releases in openssh 7.3 later versions. But in 16.04 the latest openssh version is of 7.2 As per https://launchpad.net/ubuntu/xenial/+source/openssh Can we even expect to be get this openssh vulnerability fixed even in 16.04? Best Regards, Sowmya Divvi ** Affects: openssh (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1891123 Title: Openssh vulnerability on ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1891123/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
