Re: openssh_7.2p2+ availability for wheezy
On 27.07.17 15:42, Adam Weremczuk wrote:
These are the vulnerability I'm referring to and they have been
addressed in OpenSSH versions 6.6 and 7.2p2:
Threat 1:
The sshd server fails to validate user-supplied X11 authentication
credentials
when establishing an X11 forwarding session. An authenticated user
may inject
arbitrary xauth commands by sending an x11 channel request that includes a
newline character in the x11 cookie.
Please note that Systems with X11Forwarding enabled are affected.
Affected Versions:
OpenSSH versions prior to 7.2p2
you are apparently talking about CVE-2016-3115
https://security-tracker.debian.org/tracker/CVE-2016-3115
see noted at bottom:
[jessie] - openssh <no-dsa> (Minor issue)
[wheezy] - openssh <no-dsa> (Minor issue)
this was apparently resolved as minor, so no DSA was issued.
Threat 2:
The security issue is caused by an error within the "child_set_env()"
function
(usr.bin/ssh/session.c) and can be exploited to bypass intended environment
restrictions by using a substring before a wildcard character.
Affected Versions:
OpenSSH Versions prior to 6.6 are affected
apparently CVE-2014-2532
openssh (PTS) wheezy 1:6.0p1-4+deb7u4 fixed
wheezy (security) 1:6.0p1-4+deb7u6 fixed
jessie (security), jessie 1:6.7p1-5+deb8u3 fixed
stretch 1:7.4p1-10+deb9u1 fixed
buster, sid 1:7.5p1-5 fixed
fixed long ago
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.
Reply to: