Your message dated Mon, 4 Jan 2010 00:31:05 +0000 with message-id <20100104003105.GG5968@riva.ucam.org> and subject line fixed ages ago has caused the Debian Bug report #475156, regarding openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 475156: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475156 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification
- From: Nico Golde <nion@debian.org>
- Date: Wed, 9 Apr 2008 14:41:48 +0200
- Message-id: <20080409124148.GA31120@ngolde.de>
Package: openssh-server Version: 1:4.3p2-9 Severity: important Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for openssh. CVE-2008-1657[0]: | OpenSSH before 4.9 allows remote authenticated users to bypass the | sshd_config ForceCommand directive by modifying the .ssh/rc session | file. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1657 http://security-tracker.debian.net/tracker/CVE-2008-1657 -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.Attachment: pgp_DcxfkBVag.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 475156-done@bugs.debian.org
- Subject: fixed ages ago
- From: Colin Watson <cjwatson@debian.org>
- Date: Mon, 4 Jan 2010 00:31:05 +0000
- Message-id: <20100104003105.GG5968@riva.ucam.org>
Source: openssh Source-Version: 1:4.7p1-8 This was fixed ages ago, but inadvertently left open in at least some BTS views. Closing properly now. openssh (1:4.7p1-8) unstable; urgency=high * Fill in CVE identifier for security vulnerability fixed in 1:4.7p1-5. * Rename KeepAlive to TCPKeepAlive in sshd_config, cleaning up from old configurations (LP: #211400). * Tweak scp's reporting of filenames in verbose mode to be a bit less confusing with spaces (thanks, Nicolas Valcárcel; LP: #89945). * Backport from 4.9p1: - CVE-2008-1657: Ignore ~/.ssh/rc if a sshd_config ForceCommand is specified. - Add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc. * Backport from Simon Wilkinson's GSSAPI key exchange patch for 5.0p1: - Add code to actually implement GSSAPIStrictAcceptorCheck, which had somehow been omitted from a previous version of this patch (closes: #474246). -- Colin Watson <cjwatson@debian.org> Sun, 06 Apr 2008 12:34:19 +0100 -- Colin Watson [cjwatson@debian.org]
--- End Message ---