Re: squeeze update of openssh?
- To: Colin Watson <cjwatson@debian.org>
- Cc: Guido Günther <agx@sigxcpu.org>, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>, debian-lts@lists.debian.org
- Subject: Re: squeeze update of openssh?
- From: Antoine Beaupré <anarcat@orangeseeds.org>
- Date: Mon, 01 Feb 2016 17:17:18 -0500
- Message-id: <[🔎] 87oac0m5xt.fsf@marcos.anarc.at>
- In-reply-to: <87h9hvqbho.fsf@marcos.anarc.at>
- References: <20160115104622.GA5647@minobo.das-netzwerkteam.de> <1452864937.2519.5.camel@decadent.org.uk> <20160115134712.GB32596@bogon.m.sigxcpu.org> <1452865833.15013.79.camel@debian.org> <20160115140144.GK2181@riva.ucam.org> <20160123115051.GA4447@bogon.m.sigxcpu.org> <87mvroqd8l.fsf@marcos.anarc.at> <20160130012743.GA8922@riva.ucam.org> <87h9hvqbho.fsf@marcos.anarc.at>
On 2016-01-30 11:26:59, Antoine Beaupré wrote:
> The problem is, from what I understand, there is no way to fix
> CVE-2016-1908 while ForwardX11Trusted is set to "yes". Basically, that
> setting makes the whole exploit unnecessary because there's no
> protection to workaround.
>
> I am therefore tempted to agree with Guido that we should just mark this
> as no-dsa and move on, because, unless users have explicitely disable
> ForwardX11Trusted, it's impossible for us to fix that security issue for
> them.
I went ahead and did just that.
A.
--
A genius is someone who discovers that the stone that falls and the
moon that doesn't fall represent one and the same phenomenon.
- Ernesto Sabato
Reply to: