Bug#475156: openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification
On Wed, Apr 09, 2008 at 02:41:48PM +0200, Nico Golde wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for openssh.
>
>
> CVE-2008-1657[0]:
> | OpenSSH before 4.9 allows remote authenticated users to bypass the
> | sshd_config ForceCommand directive by modifying the .ssh/rc session
> | file.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
At the time I fixed this, it didn't have a public CVE identifier. I've
retroactively filled it in (in CVS) now.
Cheers,
--
Colin Watson [cjwatson@debian.org]
Reply to: