Dear SSH maintainers, dear LTS team,I just spent quite some time with reading openSSH code related to checking if CVE-2015-5352 [1] needs to be fixed in Debian squeeze LTS.
The upstream commit for fixing CVE-2015-5352 is at [2]. The fix addresses an issue with the ForwardX11Timeout option in ssh_config. This option is not present in Debian squeeze's version of openSSH. So basically openSSH in squeeze is not affected.
In squeeze's version there is a hard-coded ForwardX11Timeout of 1200 (in seconds, 20min lifetime of the X11 auth cookie).
However, I sense, that parts of the commit [2] should be adopted, esp. this part:
--- a/clientloop.c +++ b/clientloop.c @@ -1706,6 +1729,11 @@ (in client_request_x11 function) "malicious server."); return NULL; } + if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) { + verbose("Rejected X11 connection after ForwardX11Timeout " + "expired"); + return NULL; + } originator = packet_get_string(NULL); if (datafellows & SSH_BUG_X11FWD) { debug2("buggy server: x11 request w/o originator_port"); """ ... where x11_refuse_time would be the hard-coded 1200s value... Any feedback is highly welcome! Mike [1] https://security-tracker.debian.org/tracker/CVE-2015-5352[2] https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d
-- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Attachment:
pgpB9a1Y_JnzQ.pgp
Description: Digitale PGP-Signatur