Bug#475156: openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification

To: Nico Golde <nion@debian.org>, 475156@bugs.debian.org
Subject: Bug#475156: openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 9 Apr 2008 14:58:24 +0100
Message-id: <[🔎] 20080409135824.GI16526@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 475156@bugs.debian.org
In-reply-to: <[🔎] 20080409124148.GA31120@ngolde.de>
References: <[🔎] 20080409124148.GA31120@ngolde.de>

On Wed, Apr 09, 2008 at 02:41:48PM +0200, Nico Golde wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for openssh.
> 
> 
> CVE-2008-1657[0]:
> | OpenSSH before 4.9 allows remote authenticated users to bypass the
> | sshd_config ForceCommand directive by modifying the .ssh/rc session
> | file.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

At the time I fixed this, it didn't have a public CVE identifier. I've
retroactively filled it in (in CVS) now.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

References:
- Bug#475156: openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification
  - From: Nico Golde <nion@debian.org>

Prev by Date: Bug#475156: openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification
Next by Date: Bug#475188: using NetworkManager /etc/network/if-up.d/openssh-server does not reload
Previous by thread: Bug#475156: openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification
Next by thread: Bug#475188: using NetworkManager /etc/network/if-up.d/openssh-server does not reload
Index(es):
- Date
- Thread