Re: squeeze update of openssh?
Hi Colin,
On Fri, Jan 15, 2016 at 02:01:44PM +0000, Colin Watson wrote:
> On Fri, Jan 15, 2016 at 02:50:33PM +0100, Yves-Alexis Perez wrote:
> > On ven., 2016-01-15 at 14:47 +0100, Guido Günther wrote:
> > > > I believe Yves-Alexis Perez is handing this.
> > >
> > > I figured Mike's mail is related to
> > >
> > > TEMP-0000000 Eliminate the fallback from untrusted X11-forwarding to
> > > trusted forwarding for cases when the X server disables the SECURITY
> > > extension
> > >
> > > not to CVE-2016-0777 CVE-2016-0778?
> >
> > We've not yet investigated the other, CVE-less vulnerabilities fixed by the
> > last OpenSSH release (whether for the current stables or for LTS).
>
> OpenSSH upstream decided not to fix the untrusted->trusted forwarding
> issue in 7.1p2
> (https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html).
> I would recommend holding off on that until they've actually blessed a
> fix for real.
I had a look at RedHat's analysis[1] and at Squeeze, Wheezy and Jessie:
* Squeeze and Wheezy don't run "xhost +si:localuser:`id -un`" from
xinit but we do so from Jessie on
* we have the security extension enabled
however Debian uses ForwardX11Trused=yes so I wonder if we can safely
flag this as no-dsa needed for at least Wheezy and Squeeze since it does
not seem to affect the default configuration in any way?
Cheers,
-- Guido
>
> https://security-tracker.debian.org/tracker/source-package/openssh is
> mistaken in claiming that this is fixed in sid. It's not.
>
> --
> Colin Watson [cjwatson@debian.org]
>
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1298741
Reply to: