Package: openssh-client
Version: 1:3.8p1-2
Severity: wishlist
http://bugs.debian.org/237021 introduced a configuration change that set
ForwardX11Trusted to "yes" by default on debian systems, where upstream
(and other distros that follow upstream) set ForwardX11Trusted by
default to "no".
ForwardX11Trusted is a security risk -- it allows capture of arbitrary
content from your local X session by your remote ssh operation.
I understand why 237021 was resolved the way it was -- this change took
some people by surprise, and it wasn't widely expected elsewhere.
Today, the story is different -- upstream has had the default to "no"
for over a decade now. People who want to trust their remote systems
can set ForwardX11Trusted to "yes" manually. We're also at a point in
the release cycle where this change can be made and give programmatic
users of openssh an opportunity to make any adjustments they need to.
Debian should no longer diverge in this insecure way from upstream's
defaults.
Thanks for maintaining OpenSSH in debian!
Regards,
--dkg
Attachment:
signature.asc
Description: PGP signature