Started by an SCM change414743616c8731a48eff82ca79506d41e2b1e3f90baf43616c8731a48eff82ca79506d41e2b1e3f90bafrefs/remotes/origin/oi/hipster43616c8731a48eff82ca79506d41e2b1e3f90baf43616c8731a48eff82ca79506d41e2b1e3f90bafrefs/remotes/origin/oi/hipster2a248aeece198193fec99eba994911716ef449c73a248aeece198193fec99eba994911716ef449c73origin/oi/hipstera248aeece198193fec99eba994911716ef449c73origin/HEADa248aeece198193fec99eba994911716ef449c73a248aeece198193fec99eba994911716ef449c73origin/oi/hipstera248aeece198193fec99eba994911716ef449c73origin/HEAD1129cfc2a57e0553acffbe03c3f54f24cadaac25e1b7cfc2a57e0553acffbe03c3f54f24cadaac25e1b7origin/oi/hipstercfc2a57e0553acffbe03c3f54f24cadaac25e1b7cfc2a57e0553acffbe03c3f54f24cadaac25e1b7origin/oi/hipster43616c8731a48eff82ca79506d41e2b1e3f90baf43616c8731a48eff82ca79506d41e2b1e3f90bafrefs/remotes/origin/oi/hipstergit://github.com/OpenIndiana/oi-userland.githttps://hipster.openindiana.org/jenkins/job/oi-userland/4147/artifacthttps://hipster.openindiana.org/jenkins/job/oi-userland/changeshttps://hipster.openindiana.org/jenkins/job/oi-userland/4147/https://hipster.openindiana.org/jenkins/job/oi-userland/4147/testReportfalse#414713104511266995oi-userland #41474147falsefalse41472313SUCCESS1535277007328https://hipster.openindiana.org/jenkins/job/oi-userland/4147/components/network/openssh/Makefilecomponents/network/openssh/patches/CVE-2018-15473.patch43616c8731a48eff82ca79506d41e2b1e3f90baf1535276343000https://hipster.openindiana.org/jenkins/user/wackiAndreas WacknitzA.Wacknitz@gmx.deOpenSSH: fix CVE-2018-15473 (username enumeration) Fix from OpenSSH 7.8p1 (https://www.openssh.com/releasenotes.html): ``` * sshd(8): add some countermeasures against timing attacks used for account validation/enumeration. sshd will enforce a minimum time or each failed authentication attempt consisting of a global 5ms minimum plus an additional per-user 0-4ms delay derived from a host secret. ``` Debian patch: https://sources.debian.org/patches/openssh/1:7.4p1-10+deb9u4/upstream-delay-bailout-for-invalid-authenticating-user.patch/ **Testing (exploit: https://www.exploit-db.com/exploits/45210/)** Affected: ``` $ python 45210.py 192.168.1.12 root [+] Valid username $ python 45210.py 192.168.1.12 thisisinvalid [*] Invalid username ``` Fixed: ``` $ python 45210.py 192.168.1.181 root [+] Valid username $ python 45210.py 192.168.1.181 thisisinvalid [+] Valid username ``` 2018-08-26 11:39:03 +020043616c8731a48eff82ca79506d41e2b1e3f90bafOpenSSH: fix CVE-2018-15473 (username enumeration)addcomponents/network/openssh/patches/CVE-2018-15473.patcheditcomponents/network/openssh/Makefilegithttps://hipster.openindiana.org/jenkins/user/a.wacknitzA.Wacknitza.wacknitz