Bug#475156: openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification

To: submit@bugs.debian.org
Subject: Bug#475156: openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification
From: Nico Golde <nion@debian.org>
Date: Wed, 9 Apr 2008 14:41:48 +0200
Message-id: <[🔎] 20080409124148.GA31120@ngolde.de>
Reply-to: Nico Golde <nion@debian.org>, 475156@bugs.debian.org

Package: openssh-server
Version: 1:4.3p2-9
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openssh.


CVE-2008-1657[0]:
| OpenSSH before 4.9 allows remote authenticated users to bypass the
| sshd_config ForceCommand directive by modifying the .ssh/rc session
| file.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1657
    http://security-tracker.debian.net/tracker/CVE-2008-1657

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpcLpZ9i8iUP.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#475156: openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Processed: fixed 475156 in 1:4.7p1-8
Next by Date: Bug#475156: openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification
Previous by thread: Processed: fixed 475156 in 1:4.7p1-8
Next by thread: Bug#475156: openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification
Index(es):
- Date
- Thread