Bug#326065: ssh: Two security issues fixed in 4.2
Package: ssh
Version: 1:4.1p1-6
Severity: important
Two security related changes were introduced in openssh 4.2:
- SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused
GatewayPorts to be incorrectly activated for dynamic ("-D") port
forwardings when no listen address was explicitly specified.
- SECURITY: sshd in OpenSSH versions prior to 4.2 allow GSSAPI
credentials to be delegated to users who log in with methods
other than GSSAPI authentication (e.g. public key) when the
client requests it. This behaviour has been changed in OpenSSH
4.2 to only delegate credentials to users who authenticate
using the GSSAPI method. This eliminates the risk of credentials
being inadvertently exposed to an untrusted user/host (though
users should not activate GSSAPIDelegateCredentials to begin
with when the remote user or host is untrusted)
Cheers,
Moritz
-- System Information:
Architecture: i386 (i686)
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
-- debconf information excluded
Reply to: