Re: squeeze update of openssh?
- To: Colin Watson <email@example.com>
- Cc: Guido Günther <firstname.lastname@example.org>, Debian OpenSSH Maintainers <email@example.com>, firstname.lastname@example.org
- Subject: Re: squeeze update of openssh?
- From: Antoine Beaupré <email@example.com>
- Date: Mon, 01 Feb 2016 17:17:18 -0500
- Message-id: <[🔎] firstname.lastname@example.org>
- In-reply-to: <email@example.com>
- References: <20160115104622.GA5647@minobo.das-netzwerkteam.de> <firstname.lastname@example.org> <20160115134712.GB32596@bogon.m.sigxcpu.org> <email@example.com> <20160115140144.GK2181@riva.ucam.org> <20160123115051.GA4447@bogon.m.sigxcpu.org> <firstname.lastname@example.org> <20160130012743.GA8922@riva.ucam.org> <email@example.com>
On 2016-01-30 11:26:59, Antoine Beaupré wrote:
> The problem is, from what I understand, there is no way to fix
> CVE-2016-1908 while ForwardX11Trusted is set to "yes". Basically, that
> setting makes the whole exploit unnecessary because there's no
> protection to workaround.
> I am therefore tempted to agree with Guido that we should just mark this
> as no-dsa and move on, because, unless users have explicitely disable
> ForwardX11Trusted, it's impossible for us to fix that security issue for
I went ahead and did just that.
A genius is someone who discovers that the stone that falls and the
moon that doesn't fall represent one and the same phenomenon.
- Ernesto Sabato