[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: squeeze update of openssh?

Hi Colin,
On Fri, Jan 15, 2016 at 02:01:44PM +0000, Colin Watson wrote:
> On Fri, Jan 15, 2016 at 02:50:33PM +0100, Yves-Alexis Perez wrote:
> > On ven., 2016-01-15 at 14:47 +0100, Guido Günther wrote:
> > > > I believe Yves-Alexis Perez is handing this.
> > > 
> > > I figured Mike's mail is related to
> > > 
> > >     TEMP-0000000 Eliminate the fallback from untrusted X11-forwarding to
> > > trusted forwarding for cases when the X server disables the SECURITY
> > > extension
> > > 
> > > not to CVE-2016-0777 CVE-2016-0778?
> > 
> > We've not yet investigated the other, CVE-less vulnerabilities fixed by the
> > last OpenSSH release (whether for the current stables or for LTS).
> 
> OpenSSH upstream decided not to fix the untrusted->trusted forwarding
> issue in 7.1p2
> (https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html).
> I would recommend holding off on that until they've actually blessed a
> fix for real.

I had a look at RedHat's analysis[1] and at Squeeze, Wheezy and Jessie:

    * Squeeze and Wheezy don't run "xhost +si:localuser:`id -un`" from
      xinit but we do so from Jessie on
    * we have the security extension enabled

however Debian uses ForwardX11Trused=yes so I wonder if we can safely
flag this as no-dsa needed for at least Wheezy and Squeeze since it does
not seem to affect the default configuration in any way?

Cheers,
 -- Guido


> 
> https://security-tracker.debian.org/tracker/source-package/openssh is
> mistaken in claiming that this is fixed in sid.  It's not.
> 
> -- 
> Colin Watson                                       [cjwatson@debian.org]
> 

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1298741
Reply to: