Re: OpenSSH Username Enumeration

[Qualys Security Advisory <qsa () qualys com>]

Hi all,

On Thu, Aug 23, 2018 at 09:50:08AM +0200, Dariusz Tytko wrote:
> We have published our writeup
> https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/

Great job, and thank you very much for reporting this to the OpenSSH
team in the first place!

Here is our (rough) timeline:

- On July 31,
  https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
  is committed publicly, but does not explain the reasons for this
  change, and does not flag it as a security fix.

- We read this commit about two weeks later, and realize its security
  implications; we do not know whether distros () vs openwall org have been
  contacted about this or not.

- We therefore send our findings to openssh () openssh com and
  distros () vs openwall org, on August 15.

- About 20 minutes later (!), Solar Designer confirms that we should
  post this to oss-security () lists openwall com right away (as per
  https://oss-security.openwall.org/wiki/mailing-lists/distros): indeed,
  the issue is already public (if we spotted this commit, then others
  did, too).

- About one hour later, we post our findings to oss-security.

Again, we thank Dariusz Tytko for reporting this issue,
distros () vs openwall org for their quick response, and the OpenSSH team
for all their hard and inspiring work. With best regards,

-- 
the Qualys Security Advisory team