diff -Nru openssh-6.6p1/debian/changelog openssh-6.6p1/debian/changelog
--- openssh-6.6p1/debian/changelog	2018-01-18 13:41:52.000000000 +0000
+++ openssh-6.6p1/debian/changelog	2018-10-13 23:31:32.000000000 +0000
@@ -1,3 +1,13 @@
+openssh (1:6.6p1-2ubuntu2.11) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: OpenSSH User Enumeration Vulnerability (LP: #1794629)
+    - debian/patches/CVE-2018-15473.patch: delay bailout for invalid
+      authenticating user until after the packet containing the request
+      has been fully parsed.
+    - CVE-2018-15473
+
+ -- Ryan Finnie <ryan@finnie.org>  Sat, 13 Oct 2018 23:31:08 +0000
+
 openssh (1:6.6p1-2ubuntu2.10) trusty-security; urgency=medium
 
   * SECURITY UPDATE: untrusted search path when loading PKCS#11 modules
diff -Nru openssh-6.6p1/debian/patches/CVE-2018-15473.patch openssh-6.6p1/debian/patches/CVE-2018-15473.patch
--- openssh-6.6p1/debian/patches/CVE-2018-15473.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssh-6.6p1/debian/patches/CVE-2018-15473.patch	2018-10-13 23:30:51.000000000 +0000
@@ -0,0 +1,129 @@
+Backport of:
+
+From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001
+From: djm <djm@openbsd.org>
+Date: Tue, 31 Jul 2018 03:10:27 +0000
+Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?=
+ =?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?=
+ =?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?=
+ =?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+delay bailout for invalid authenticating user until after the packet
+containing the request has been fully parsed.
+
+---
+ auth2-gss.c       |    9 ++++++---
+ auth2-hostbased.c |    9 +++++----
+ auth2-pubkey.c    |   20 +++++++++++++-------
+ 3 files changed, 24 insertions(+), 14 deletions(-)
+
+--- a/auth2-gss.c
++++ b/auth2-gss.c
+@@ -101,9 +101,6 @@
+ 	u_int len;
+ 	u_char *doid = NULL;
+ 
+-	if (!authctxt->valid || authctxt->user == NULL)
+-		return (0);
+-
+ 	mechs = packet_get_int();
+ 	if (mechs == 0) {
+ 		debug("Mechanism negotiation is not supported");
+@@ -134,6 +131,12 @@
+ 		return (0);
+ 	}
+ 
++	if (!authctxt->valid || authctxt->user == NULL) {
++		debug2("%s: disabled because of invalid user", __func__);
++		free(doid);
++		return (0);
++	}
++
+ 	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
+ 		if (ctxt != NULL)
+ 			ssh_gssapi_delete_ctx(&ctxt);
+--- a/auth2-hostbased.c
++++ b/auth2-hostbased.c
+@@ -64,10 +64,6 @@
+ 	int pktype;
+ 	int authenticated = 0;
+ 
+-	if (!authctxt->valid) {
+-		debug2("userauth_hostbased: disabled because of invalid user");
+-		return 0;
+-	}
+ 	pkalg = packet_get_string(&alen);
+ 	pkblob = packet_get_string(&blen);
+ 	chost = packet_get_string(NULL);
+@@ -106,6 +102,11 @@
+ 		    "signature format");
+ 		goto done;
+ 	}
++	if (!authctxt->valid || authctxt->user == NULL) {
++		debug2("%s: disabled because of invalid user", __func__);
++		goto done;
++	}
++
+ 	service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
+ 	    authctxt->service;
+ 	buffer_init(&b);
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -76,15 +76,11 @@
+ 	Buffer b;
+ 	Key *key = NULL;
+ 	char *pkalg, *userstyle;
+-	u_char *pkblob, *sig;
++	u_char *pkblob, *sig = NULL;
+ 	u_int alen, blen, slen;
+ 	int have_sig, pktype;
+ 	int authenticated = 0;
+ 
+-	if (!authctxt->valid) {
+-		debug2("userauth_pubkey: disabled because of invalid user");
+-		return 0;
+-	}
+ 	have_sig = packet_get_char();
+ 	if (datafellows & SSH_BUG_PKAUTH) {
+ 		debug2("userauth_pubkey: SSH_BUG_PKAUTH");
+@@ -131,6 +127,12 @@
+ 		} else {
+ 			buffer_put_string(&b, session_id2, session_id2_len);
+ 		}
++		if (!authctxt->valid || authctxt->user == NULL) {
++			debug2("%s: disabled because of invalid user",
++			    __func__);
++			buffer_free(&b);
++			goto done;
++		}
+ 		/* reconstruct packet */
+ 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+ 		xasprintf(&userstyle, "%s%s%s", authctxt->user,
+@@ -162,11 +164,14 @@
+ 		    buffer_len(&b))) == 1)
+ 			authenticated = 1;
+ 		buffer_free(&b);
+-		free(sig);
+ 	} else {
+ 		debug("test whether pkalg/pkblob are acceptable");
+ 		packet_check_eom();
+-
++		if (!authctxt->valid || authctxt->user == NULL) {
++			debug2("%s: disabled because of invalid user",
++			    __func__);
++			goto done;
++		}
+ 		/* XXX fake reply and always send PK_OK ? */
+ 		/*
+ 		 * XXX this allows testing whether a user is allowed
+@@ -192,6 +197,7 @@
+ 		key_free(key);
+ 	free(pkalg);
+ 	free(pkblob);
++	free(sig);
+ 	return authenticated;
+ }
+ 
diff -Nru openssh-6.6p1/debian/patches/series openssh-6.6p1/debian/patches/series
--- openssh-6.6p1/debian/patches/series	2018-01-18 13:40:51.000000000 +0000
+++ openssh-6.6p1/debian/patches/series	2018-10-13 23:26:47.000000000 +0000
@@ -51,3 +51,4 @@
 CVE-2016-10012-1-2.patch
 CVE-2016-10012-3.patch
 CVE-2017-15906.patch
+CVE-2018-15473.patch