FYI: CVE-2018-15473

[_martin]

I was not able to find any news regarding this anywhere on FreeBSD-related pages. The original link on openwall. PoC can be found also here.

 

[SirDice]

It may not have impacted us. The base OpenSSH doesn't track the OpenBSD version entirely, we have our own modified version. Security patches are typically backported. So the change that triggered the CVE may never have been imported.

But if you want to be sure you can always contact the Security Team or look at the actual source in our tree.

 

[_martin]

It may not have impacted us.

I confirm it works on 11.1 FreeBSD: OpenSSH_7.2p2, OpenSSL 1.0.2k-freebsd 26 Jan 2017. I'm currently upgrading to 11.2 but the version there is only 7.5 (versions affected up to 7.7).

 

[SirDice]

I'm currently upgrading to 11.2 but the version there is only 7.5 (versions affected up to 7.7).

Security issues are backported so these version numbers don't always match up.

 

[_martin]

This seems to be a very specific issue, very unlikely to be fixed only in FreeBSD. Anyway, it works on the brand new 11.2 too: OpenSSH_7.5p1, OpenSSL 1.0.2o-freebsd 27 Mar 2018.

As mentioned above, FYI.

EDIT: There's no update in the base nor ports yet. The only option for FreeBSD users is to compile portable version from the oficial sources. I compiled the OpenSSH_7.8p1 (against the same SSL libs) and I confirm issue is not there anymore.

 

[_martin]

I've reported this issue in security. I'm a bit sad to see this bug is not yet fixed in FreeBSD. I consider this bug interesting though, you can easily (enough) guess the valid username on remote server.