[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1500-2] openssh regression update

Package        : openssh
Version        : 1:6.7p1-5+deb8u7
Debian Bug     : 908652

The security update of OpenSSH announced as DLA 1500-1 introduced a bug in
openssh-client: when X11 forwarding is enabled (via system-wide
configuration in ssh_config or via -X command line switch), but no DISPLAY
is set, the client produces a "DISPLAY "(null)" invalid; disabling X11
forwarding" warning. These bug was introduced by the patch set to fix the
CVE-2016-1908 issue. For reference, the following is the relevant section
of the original announcement:


    OpenSSH mishandled untrusted X11 forwarding when the X server disables
    the SECURITY extension. Untrusted connections could obtain trusted X11
    forwarding privileges. Reported by Thomas Hoger.

For Debian 8 "Jessie", this problem has been fixed in version

We recommend that you upgrade your openssh packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to: