openssh CVE-2018-15919 not fix?

Support for security such as Firewalls and securing linux
Post Reply
xxinxi
Posts: 1
Joined: 2019/12/13 08:28:18

openssh CVE-2018-15919 not fix?

Post by xxinxi » 2019/12/13 08:39:01

update centos 7.5 openssh lasted , but not fix CVE-2018-15919 after update.

which openssh Version can fix the bug? or how fix the openssh CVE-2018-15919 bug?

env:
---befor update
openssh-server-7.4p1-16.el7.x86_64
openssh-7.4p1-16.el7.x86_64
openssh-clients-7.4p1-16.el7.x86_64

---after update
openssh-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
openssh-clients-7.4p1-21.el7.x86_64

---check changelog not fix
rpm -qi openssh --changelog|grep CVE|sort
CVE-2006-4924 - prevent DoS on deattack detector (#207957)
- CVE-2006-5051 - don't call cleanups from signal handler (#208459)
- CVE-2006-5794 - properly detect failed key verify in monitor (#214641)
- CVE-2010-4755
- CVE-2015-8325: privilege escalation via user's PAM environment and UseLogin=yes (#1329191)
- CVE-2016-1908: possible fallback from untrusted to trusted X11 forwarding (#1298741)
- CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317819)
- Fix for CVE-2017-15906 (#1517226)
- Fix for CVE-2018-15473 (#1619079)
- Security fixes released with openssh-6.9 (CVE-2015-5352) (#1247864)
- add new option GSSAPIEnablek5users and disable using ~/.k5users by default CVE-2014-9278
- change default value of MaxStartups - CVE-2010-5107 (#908707)
- fixed audit log injection problem (CVE-2007-3102)
- only query each keyboard-interactive device once (CVE-2015-5600) (#1245971)
- prevent a server from skipping SSHFP lookup - CVE-2014-2653 (#1081338)
- prevents CVE-2016-0777 and CVE-2016-0778
- use fork+exec instead of system in scp - CVE-2006-0225 (#16816

User avatar
TrevorH
Forum Moderator
Posts: 28558
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: openssh CVE-2018-15919 not fix?

Post by TrevorH » 2019/12/13 10:04:43

First thing is that 7.5 is 18 months out of date and you should be on 7.7.

https://access.redhat.com/security/cve/CVE-2018-15919 says "Will not fix" for both 7 and 8 so it's apparent that they do not consider this severe enough to bother to fix.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 7 - Security Support”