Root, aha! We've finally uncovered the root of the problem. (Sorry. I can't help myself. It's Friday afternoon.)
While Qualys' TLS scanner is a top-notch tool that I use regularly, their "security scanner" is sadly not. They have built a tool that checks version numbers. This is not ideal, because the clear majority of Linux systems do not do wholesale version updates but instead backport specific security fixes: https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions https://www.debian.org/security/faq#version https://wiki.centos.org/FAQ/General#head-3dad8cb98ac535185e58e882a23ca4b096cbff2f https://access.redhat.com/security/updates/backporting These sorts of security scanners would be more useful if everyone built their entire systems from scratch. Anyway, please ask Qualys to consider consuming our OVAL data: https://people.canonical.com/~ubuntu-security/oval/ or parsing our database directly: https://git.launchpad.net/ubuntu-cve-tracker Both of these approaches would give better results. (There are tradeoffs involved. They are welcome to contact us at secur...@ubuntu.com if they would like to discuss the tradeoffs.) Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Trusty: Fix Released Status in openssh source package in Xenial: Fix Released Status in openssh source package in Bionic: Fix Released Status in openssh source package in Cosmic: Fix Released Bug description: https://nvd.nist.gov/vuln/detail/CVE-2018-15473 OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. Fixed in Debian: https://www.debian.org/security/2018/dsa-4280 Currently pending triage? https://people.canonical.com/~ubuntu- security/cve/2018/CVE-2018-15473.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
