[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#320104: marked as done (ssh: Xforwarding is disabled and is not a debconf option either)

Your message dated Wed, 14 Sep 2005 08:02:06 -0700
with message-id <E1EFYly-0005JA-00@spohr.debian.org>
and subject line Bug#320104: fixed in openssh 1:4.2p1-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 26 Jul 2005 23:51:07 +0000
>From root@lkcl.net Tue Jul 26 16:51:07 2005
Return-path: <root@lkcl.net>
Received: from free.hands.com [83.142.228.128] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1DxZCV-0003bi-00; Tue, 26 Jul 2005 16:51:07 -0700
Received: from lkcl.net (safe.hands.com [195.147.202.226])
	by free.hands.com (Postfix) with ESMTP id 010E2BF32
	for <submit@bugs.debian.org>; Wed, 27 Jul 2005 00:51:04 +0100 (BST)
Received: from root by lkcl.net with local (Exim 4.24)
	id 1DxZCV-00034r-61; Wed, 27 Jul 2005 00:51:07 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ssh: Xforwarding is disabled and is not a debconf option either
X-Mailer: reportbug 2.39
Date: Wed, 27 Jul 2005 00:51:07 +0100
Message-Id: <E1DxZCV-00034r-61@lkcl.net>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: normal


1) disabling of X forwarding on the server end is pointless as
   there is absolutely zero risk at the server end.

2) ssh -X is a choice made by the client: they take the risk.
   (and having the ssh_config option ForwardX11 no is a GOOD
    idea in this respect and is very sensible - unlike X11Forwarding no
    in sshd_config)

please either enable X11forwarding Yes in sshd_config, or provide
a debconf option to say yes or no and if it makes you happy put the
default option as no.


-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux highfield 2.6.11-1-686 #1 Fri May 20 07:34:54 UTC 2005 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages ssh depends on:
ii  adduser                     3.51         Add and remove users and groups
ii  debconf                     1.4.52       Debian configuration management sy
ii  dpkg                        1.13.9       Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-21 GNU C Library: Shared libraries an
ii  libpam-modules              0.77-0.se5   Pluggable Authentication Modules f
ii  libpam-runtime              0.77-0.se5   Runtime support for the PAM librar
ii  libpam0g                    0.77-0.se5   Pluggable Authentication Modules l
ii  libssl0.9.7                 0.9.7g-1     SSL shared libraries
ii  libwrap0                    7.6-ipv6.1-3 Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.2.1-3    compression library - runtime

-- debconf information excluded


---------------------------------------
Received: (at 320104-close) by bugs.debian.org; 14 Sep 2005 15:08:04 +0000
>From katie@spohr.debian.org Wed Sep 14 08:08:04 2005
Return-path: <katie@spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
	id 1EFYly-0005JA-00; Wed, 14 Sep 2005 08:02:06 -0700
From: Colin Watson <cjwatson@debian.org>
To: 320104-close@bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#320104: fixed in openssh 1:4.2p1-1
Message-Id: <E1EFYly-0005JA-00@spohr.debian.org>
Sender: Archive Administrator <katie@spohr.debian.org>
Date: Wed, 14 Sep 2005 08:02:06 -0700
Delivered-To: 320104-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3

Source: openssh
Source-Version: 1:4.2p1-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_4.2p1-1_powerpc.udeb
  to pool/main/o/openssh/openssh-client-udeb_4.2p1-1_powerpc.udeb
openssh-client_4.2p1-1_powerpc.deb
  to pool/main/o/openssh/openssh-client_4.2p1-1_powerpc.deb
openssh-server-udeb_4.2p1-1_powerpc.udeb
  to pool/main/o/openssh/openssh-server-udeb_4.2p1-1_powerpc.udeb
openssh-server_4.2p1-1_powerpc.deb
  to pool/main/o/openssh/openssh-server_4.2p1-1_powerpc.deb
openssh_4.2p1-1.diff.gz
  to pool/main/o/openssh/openssh_4.2p1-1.diff.gz
openssh_4.2p1-1.dsc
  to pool/main/o/openssh/openssh_4.2p1-1.dsc
openssh_4.2p1.orig.tar.gz
  to pool/main/o/openssh/openssh_4.2p1.orig.tar.gz
ssh-askpass-gnome_4.2p1-1_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_4.2p1-1_powerpc.deb
ssh_4.2p1-1_all.deb
  to pool/main/o/openssh/ssh_4.2p1-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 320104@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 14 Sep 2005 15:16:14 +0100
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.2p1-1
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - Secure shell client for the Debian installer (udeb)
 openssh-server - Secure shell server, an rshd replacement
 openssh-server-udeb - Secure shell server for the Debian installer (udeb)
 ssh        - Secure shell client and server (transitional package)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 181162 208648 320104 324695 326065
Changes: 
 openssh (1:4.2p1-1) unstable; urgency=low
 .
   * New upstream release.
     - SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused GatewayPorts
       to be incorrectly activated for dynamic ("-D") port forwardings when
       no listen address was explicitly specified (closes: #326065).
     - Add a new compression method ("Compression delayed") that delays zlib
       compression until after authentication, eliminating the risk of zlib
       vulnerabilities being exploited by unauthenticated users. Note that
       users of OpenSSH versions earlier than 3.5 will need to disable
       compression on the client or set "Compression yes" (losing this
       security benefit) on the server.
     - Increase the default size of new RSA/DSA keys generated by ssh-keygen
       from 1024 to 2048 bits (closes: #181162).
     - Many bugfixes and improvements to connection multiplexing.
     - Don't pretend to accept $HOME (closes: #208648).
   * debian/rules: Resynchronise CFLAGS with that generated by configure.
   * openssh-client and openssh-server conflict with pre-split ssh to avoid
     problems when ssh is left un-upgraded (closes: #324695).
   * Set X11Forwarding to yes in the default sshd_config (new installs only).
     At least when X11UseLocalhost is turned on, which is the default, the
     security risks of using X11 forwarding are risks to the client, not to
     the server (closes: #320104).
Files: 
 178047b053c1ccd0c09b5aa42c663da2 953 net standard openssh_4.2p1-1.dsc
 93295701e6bcd76fabd6a271654ed15c 928420 net standard openssh_4.2p1.orig.tar.gz
 de8b13991036a157fb89a1277c36ed70 153306 net standard openssh_4.2p1-1.diff.gz
 359f8fed6358af698de006f923175263 1052 net extra ssh_4.2p1-1_all.deb
 8d7e3e8de54516bfb1db71fa13049378 582104 net standard openssh-client_4.2p1-1_powerpc.deb
 dfd29170f38c83a123da23a0164c4f57 215660 net optional openssh-server_4.2p1-1_powerpc.deb
 f25a5d4fc687897338e15e6e40853eca 85428 gnome optional ssh-askpass-gnome_4.2p1-1_powerpc.deb
 243723651a92cd52e1f43a1d03155c4f 157496 debian-installer optional openssh-client-udeb_4.2p1-1_powerpc.udeb
 51bade95482a43d7e69a5a95c3400677 165090 debian-installer optional openssh-server-udeb_4.2p1-1_powerpc.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDKDam9t0zAhD6TNERAuvRAJ4lO0peam3SlphI+YRp9ifRD3mhQQCfZsh1
dWajDTamDn77FM5FLgtTUd8=
=q11C
-----END PGP SIGNATURE-----
Reply to: