Re: squeeze update of openssh?

To: Colin Watson <cjwatson@debian.org>
Cc: Guido Günther <agx@sigxcpu.org>, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>, debian-lts@lists.debian.org
Subject: Re: squeeze update of openssh?
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Mon, 01 Feb 2016 17:17:18 -0500
Message-id: <[🔎] 87oac0m5xt.fsf@marcos.anarc.at>
In-reply-to: <87h9hvqbho.fsf@marcos.anarc.at>
References: <20160115104622.GA5647@minobo.das-netzwerkteam.de> <1452864937.2519.5.camel@decadent.org.uk> <20160115134712.GB32596@bogon.m.sigxcpu.org> <1452865833.15013.79.camel@debian.org> <20160115140144.GK2181@riva.ucam.org> <20160123115051.GA4447@bogon.m.sigxcpu.org> <87mvroqd8l.fsf@marcos.anarc.at> <20160130012743.GA8922@riva.ucam.org> <87h9hvqbho.fsf@marcos.anarc.at>

On 2016-01-30 11:26:59, Antoine Beaupré wrote:
> The problem is, from what I understand, there is no way to fix
> CVE-2016-1908 while ForwardX11Trusted is set to "yes". Basically, that
> setting makes the whole exploit unnecessary because there's no
> protection to workaround.
>
> I am therefore tempted to agree with Guido that we should just mark this
> as no-dsa and move on, because, unless users have explicitely disable
> ForwardX11Trusted, it's impossible for us to fix that security issue for
> them.

I went ahead and did just that.

A.

-- 
A genius is someone who discovers that the stone that falls and the
moon that doesn't fall represent one and the same phenomenon.
                         - Ernesto Sabato

Reply to:

Prev by Date: Re: wheezy: update for polarssl's CVE-2015-5291
Next by Date: eglibc packages for test
Previous by thread: Re: Bug#801413: wheezy: update for polarssl's CVE-2015-5291
Next by thread: eglibc packages for test
Index(es):
- Date
- Thread