Bug#475156: marked as done (openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 4 Jan 2010 00:31:05 +0000
with message-id <20100104003105.GG5968@riva.ucam.org>
and subject line fixed ages ago
has caused the Debian Bug report #475156,
regarding openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
475156: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475156
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification
• From: Nico Golde <nion@debian.org>
• Date: Wed, 9 Apr 2008 14:41:48 +0200
• Message-id: <20080409124148.GA31120@ngolde.de>

Package: openssh-server
Version: 1:4.3p2-9
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openssh.


CVE-2008-1657[0]:
| OpenSSH before 4.9 allows remote authenticated users to bypass the
| sshd_config ForceCommand directive by modifying the .ssh/rc session
| file.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1657
    http://security-tracker.debian.net/tracker/CVE-2008-1657

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgp_DcxfkBVag.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: 475156-done@bugs.debian.org
• Subject: fixed ages ago
• From: Colin Watson <cjwatson@debian.org>
• Date: Mon, 4 Jan 2010 00:31:05 +0000
• Message-id: <20100104003105.GG5968@riva.ucam.org>

Source: openssh
Source-Version: 1:4.7p1-8

This was fixed ages ago, but inadvertently left open in at least some
BTS views. Closing properly now.

openssh (1:4.7p1-8) unstable; urgency=high

  * Fill in CVE identifier for security vulnerability fixed in 1:4.7p1-5.
  * Rename KeepAlive to TCPKeepAlive in sshd_config, cleaning up from old
    configurations (LP: #211400).
  * Tweak scp's reporting of filenames in verbose mode to be a bit less
    confusing with spaces (thanks, Nicolas Valcárcel; LP: #89945).
  * Backport from 4.9p1:
    - CVE-2008-1657: Ignore ~/.ssh/rc if a sshd_config ForceCommand is
      specified.
    - Add no-user-rc authorized_keys option to disable execution of
      ~/.ssh/rc.
  * Backport from Simon Wilkinson's GSSAPI key exchange patch for 5.0p1:
    - Add code to actually implement GSSAPIStrictAcceptorCheck, which had
      somehow been omitted from a previous version of this patch (closes:
      #474246).

 -- Colin Watson <cjwatson@debian.org>  Sun, 06 Apr 2008 12:34:19 +0100

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---