Re: squeeze update of openssh?
On 2016-01-23 06:50:51, Guido Günther wrote:
> Hi Colin,
> On Fri, Jan 15, 2016 at 02:01:44PM +0000, Colin Watson wrote:
>> On Fri, Jan 15, 2016 at 02:50:33PM +0100, Yves-Alexis Perez wrote:
>> > On ven., 2016-01-15 at 14:47 +0100, Guido Günther wrote:
>> > > > I believe Yves-Alexis Perez is handing this.
>> > >
>> > > I figured Mike's mail is related to
>> > >
>> > > TEMP-0000000 Eliminate the fallback from untrusted X11-forwarding to
>> > > trusted forwarding for cases when the X server disables the SECURITY
>> > > extension
>> > >
>> > > not to CVE-2016-0777 CVE-2016-0778?
>> >
>> > We've not yet investigated the other, CVE-less vulnerabilities fixed by the
>> > last OpenSSH release (whether for the current stables or for LTS).
>>
>> OpenSSH upstream decided not to fix the untrusted->trusted forwarding
>> issue in 7.1p2
>> (https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html).
>> I would recommend holding off on that until they've actually blessed a
>> fix for real.
>
> I had a look at RedHat's analysis[1] and at Squeeze, Wheezy and Jessie:
>
> * Squeeze and Wheezy don't run "xhost +si:localuser:`id -un`" from
> xinit but we do so from Jessie on
I don't think this is accurate:
Xsession.d$ git lg 35x11-common_xhost-local
* 9b1d914 N debian/local/Xsession.d/35x11-common_xhost-local: add a new
script to the default X session. It will give access to the running X
server to the logged on user. This is useful for gdm3 which does not
give access to $XAUTHORITY outside the session, but can also be of use
for other display managers. Closes: #586685. (il y a 4 ans et 2 mois)
<Josselin Mouette>
$ git describe 9b1d914
xorg-1_7.6+9-1-g9b1d914
$ rmadison xorg
debian:
xorg | 1:7.5+8+squeeze1 | squeeze-security | source, amd64, armel, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc
xorg | 1:7.5+8+squeeze1 | squeeze | source, amd64, armel, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc
xorg | 1:7.6+8~bpo60+1 | squeeze-backports | source, amd64, armel, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc
xorg | 1:7.7+3~deb7u1 | wheezy | source, amd64, armel, armhf, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc
xorg | 1:7.7+7 | jessie-kfreebsd | source, kfreebsd-amd64, kfreebsd-i386
xorg | 1:7.7+7 | jessie | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x
xorg | 1:7.7+12 | stretch | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x
xorg | 1:7.7+13 | sid | source, amd64, arm64, armel, armhf, hurd-i386, i386, kfreebsd-amd64, kfreebsd-i386, mips, mips64el, mipsel, powerpc, ppc64el, s390x
i.e. this was introduced in 1:7.6+9-1, and so was shipped with wheezy as
well.
So even if we weren't vulnerable, that would be in squeeze only and
we'll need to fix this for wheezy and above at the very least.
I'll investigate if squeeze is really not vulnerable as well.
a.
--
People arbitrarily, or as a matter of taste, assigning numerical values
to non-numerical things. And then they pretend that they haven't just
made the numbers up, which they have. Economics is like astrology in
that sense, except that economics serves to justify the current power
structure, and so it has a lot of fervent believers among the powerful.
- Kim Stanley Robinson, Red Mars
Reply to: