A flaw was found in OpenSSH versions from 5.9 (September 6, 2011) to the recently released 7.8 (August 24, 2018), inclusive. A remotely observable behaviour in auth-gss2.c could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. Similar to CVE-2018-15473 (it is not a timing attack)
Created openssh tracking bugs for this issue:
Affects: fedora-all [bug 1623185]
Hi everyone, Will this cve be fixed in redhat7 ?
looking for your reply.Thanks.
I didn't find an update for this issue to the RHEL 7.
Is there a fix?
Is this vulnerability still not fixed? Is there a fix? Still think that "system libraries will not treat this type of information leakage as a threat, because the username is considered to be a non-secret part of the user's identity, and an attacker without a password is useless"?
If GSSAPI Authentication is not required, this flaw can be mitigated by changing the global configuration in `/etc/ssh/sshd_config` from `GSSAPIAuthentication yes` to `GSSAPIAuthentication no`.
I updated the doc text. There is nothing like OpenSSHD (even though it is mentioned in few of the advisories. I remember there was something like this for windows, but I can not find it now. We ship OpenSSH in RHEL and its server is called sshd. I would keep it as "OpenSSH server" or sshd, not the combination of both.