Bug#326065: ssh: Two security issues fixed in 4.2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#326065: ssh: Two security issues fixed in 4.2
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Thu, 01 Sep 2005 16:53:44 +0200
Message-id: <[🔎] E1EAqRk-0000jM-Fk@vserver151.vserver151.serverflex.de>
Reply-to: Moritz Muehlenhoff <jmm@inutil.org>, 326065@bugs.debian.org

Package: ssh
Version: 1:4.1p1-6 
Severity: important

Two security related changes were introduced in openssh 4.2:

  - SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused
    GatewayPorts to be incorrectly activated for dynamic ("-D") port
    forwardings when no listen address was explicitly specified.

   - SECURITY: sshd in OpenSSH versions prior to 4.2 allow GSSAPI
    credentials to be delegated to users who log in with methods
    other than GSSAPI authentication (e.g. public key) when the
    client requests it. This behaviour has been changed in OpenSSH
    4.2 to only delegate credentials to users who authenticate
    using the GSSAPI method. This eliminates the risk of credentials
    being inadvertently exposed to an untrusted user/host (though
    users should not activate GSSAPIDelegateCredentials to begin
    with when the remote user or host is untrusted)

Cheers,
        Moritz
	  
-- System Information:
Architecture: i386 (i686)
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

-- debconf information excluded

Reply to:

Follow-Ups:
- Bug#326065: ssh: Two security issues fixed in 4.2 - CAN numbers
  - From: Martin Pitt <martin@piware.de>
- Bug#326065: marked as done (ssh: Two security issues fixed in 4.2)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#326027: ssh: sshd server does not encode banner in ISO-10646
Next by Date: Processed: tagging 326065
Previous by thread: Bug#326027: ssh: sshd server does not encode banner in ISO-10646
Next by thread: Bug#326065: ssh: Two security issues fixed in 4.2 - CAN numbers
Index(es):
- Date
- Thread