Hi, This bug got mentioned on the openssh-unix-dev mailing list yesterday, so I had a look. The primary thrust of this report seems to be about the modification From upstream of the default for ForwardX11Trusted to now be set. Frankly, I'm astonished by this -- I have been aware of -Y since it was introduced, and had rather assumed that the fact that I was not using it was offering me some degree of protection. Yes, I can see now that it gets a mention in the README.Debian, but I've managed to miss that for a decade it seems. However, in the place one might expect it to be documented (i.e. the ssh man page) I see no mention of it. In the ssh_config man page it gets just: The default is “yes” (Debian-specific). It seems to me it needs something along the lines of this near the -X and -Y options' documentation: ***WARNING*** -Y option is basically irrelevant as the result of Debian shipping a modified binary that treats -X the same way. You'll need to set ForwardX11Trusted to "no" if you want the documented behaviour that is provided upstream. ************* The patch that makes this change is here: http://sources.debian.net/src/openssh/1:6.7p1-3/debian/patches/debian-config.patch/ which includes mention of the fact that the change was introduced in order to close this bug: https://bugs.debian.org/237021 where Colin states in Message #47: I think it's become clear that it's too far-reaching at this point in Debian's release cycle; we need time to prepare the rest of the distribution for this sort of thing if it's to become the default. That was in 2004 while Sarge was (not) getting released -- we've had 5 complete release cycles since then, so it might be time to get rid of this patch. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY
Attachment:
signature.asc
Description: PGP signature