Bug#790798: marked as done (openssh: CVE-2015-5352: XSECURITY restrictions bypass under certain conditions in ssh)
Your message dated Fri, 07 Aug 2015 11:26:29 +0000
with message-id <E1ZNfnB-00087e-HI@franck.debian.org>
and subject line Bug#790798: fixed in openssh 1:5.5p1-6+squeeze6
has caused the Debian Bug report #790798,
regarding openssh: CVE-2015-5352: XSECURITY restrictions bypass under certain conditions in ssh
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
790798: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790798
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: CVE-2015-5352
- From: Moritz Muehlenhoff <mmuhlenhoff@wikimedia.org>
- Date: Wed, 01 Jul 2015 21:31:37 +0200
- Message-id: <20150701193137.15976.88055.reportbug@pisco.westfalen.local>
Source: openssh
Severity: important
Tags: security
Hi Colin,
CVE-2015-5352 was assigned to this change from 6.9:
> * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no,
> connections made after ForwardX11Timeout expired could be permitted
> and no longer subject to XSECURITY restrictions because of an
> ineffective timeout check in ssh(1) coupled with "fail open"
> behaviour in the X11 server when clients attempted connections with
> expired credentials. This problem was reported by Jann Horn.
Fix:
https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d
I don't think this warrants a DSA, we can line up the fix for a future
DSA or a jessie point update. Or do yo disagree?
Cheers,
Moritz
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:5.5p1-6+squeeze6
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 790798@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 07 Aug 2015 09:15:26 +0200
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source amd64 all
Version: 1:5.5p1-6+squeeze6
Distribution: squeeze-lts
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 790798 793616
Changes:
openssh (1:5.5p1-6+squeeze6) squeeze-lts; urgency=medium
.
* Non-maintainer upload by the Debian LTS team.
* CVE-2015-5352: Reject X11 connections after hard-coded Xauth cookie
expiration time of 1200 seconds. (Closes: #790798).
* CVE-2015-5600: Only query each keyboard-interactive device once per
authentication request regardless of how many times it is listed.
(Closes: #793616).
Checksums-Sha1:
7c3eda44c859068680bf7b6ef2e4bf8a3e5ea75d 2484 openssh_5.5p1-6+squeeze6.dsc
d28228495c31d51b5e9df3f437edcf82ca0f78bd 240919 openssh_5.5p1-6+squeeze6.debian.tar.gz
1d3524b56f32679908d3417e0b40bdf0c2a585a0 937402 openssh-client_5.5p1-6+squeeze6_amd64.deb
649222bdad5ac22085a9d731eed2c1259daebe80 318966 openssh-server_5.5p1-6+squeeze6_amd64.deb
0ace9e62fdd12a078cc9685be97c5864e787d946 1242 ssh_5.5p1-6+squeeze6_all.deb
87a319dc2920cca6c0a3e034f90fd1c2e6aa05b6 96128 ssh-krb5_5.5p1-6+squeeze6_all.deb
bebe17b45bd6c66963d9b14400abc3e268d168f3 104400 ssh-askpass-gnome_5.5p1-6+squeeze6_amd64.deb
0b607113191eea5604a230f9d142cc5744c95e0b 216160 openssh-client-udeb_5.5p1-6+squeeze6_amd64.udeb
34680b2c5de2667f3815c18a31f25f0c1ed44c76 244352 openssh-server-udeb_5.5p1-6+squeeze6_amd64.udeb
Checksums-Sha256:
b03fb19b28b0617a812853ee604bb1847831387c2c670e3d314d95f0f466e211 2484 openssh_5.5p1-6+squeeze6.dsc
6f2f09204c6bccbdfa1b96620829e640767846e34b6d66b32e3ab74eb1f6de85 240919 openssh_5.5p1-6+squeeze6.debian.tar.gz
6ad6f1d9c55b1349c89351bb2c864d4a46704bd66c90f25d8785a7a1813155e6 937402 openssh-client_5.5p1-6+squeeze6_amd64.deb
6952c2932e580b4d8224a41c71389068d2424581c9e0209e564f4d0558903084 318966 openssh-server_5.5p1-6+squeeze6_amd64.deb
bc21415749c6523ac8629f2ab3338fc2de3b0eabb167813cde152f7e6a072579 1242 ssh_5.5p1-6+squeeze6_all.deb
cd0f6107afd7bc6fdc8071a9e1c9eab327ee449ce4592f279986092c73bc1817 96128 ssh-krb5_5.5p1-6+squeeze6_all.deb
143f9e6d975f7f5c4d0a5695e249d2ef13ec7ebf3b436c53b9ff193e0488a34a 104400 ssh-askpass-gnome_5.5p1-6+squeeze6_amd64.deb
2b6e32f6c405576cedc0d6f557a25f68819b06b794a217b8cb4710b408acedce 216160 openssh-client-udeb_5.5p1-6+squeeze6_amd64.udeb
72c7f6896e9b8e00bfd91a52a65d3025265ccf48555ea08663e84912db9c6862 244352 openssh-server-udeb_5.5p1-6+squeeze6_amd64.udeb
Files:
1ebbec643f9764dc35a32ea247d8c56b 2484 net standard openssh_5.5p1-6+squeeze6.dsc
f09cae348b7af2d232864c743428e2d9 240919 net standard openssh_5.5p1-6+squeeze6.debian.tar.gz
64d91d77c255088d803f12a7fd9829b0 937402 net standard openssh-client_5.5p1-6+squeeze6_amd64.deb
03ce1fddb818c41e1707c34779227e14 318966 net optional openssh-server_5.5p1-6+squeeze6_amd64.deb
ad0a798fad7d08ab1ad6c195a613e975 1242 net extra ssh_5.5p1-6+squeeze6_all.deb
3d76ea1764032ab5d836cd9f347c09aa 96128 net extra ssh-krb5_5.5p1-6+squeeze6_all.deb
de70b17a69694f1da1bef9ea1b6f8588 104400 gnome optional ssh-askpass-gnome_5.5p1-6+squeeze6_amd64.deb
a7854c2a53a98e44e2ae654aaa18ff50 216160 debian-installer optional openssh-client-udeb_5.5p1-6+squeeze6_amd64.udeb
043d9455d0628d8c2e60750e0507bc67 244352 debian-installer optional openssh-server-udeb_5.5p1-6+squeeze6_amd64.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVxIUQAAoJEJr0azAldxsxLscQALdPD8vwC8SyIU1Y8z0lSjKy
DHRZYNuSaTaDyraZaa5wFfKLvVHChYmF7Tr3bwRroavYbCRvznCrv55q/xBEROng
6CMrkuAwVBQvVT9BQGh6SFjrVkIIX5jaoKY7Kw1rGuohYTV23pNYuUiuL3rWnH6R
ApS2TJckbQXjAMHvrbJkyipP6y3KcgHpKU6IEND5pTxzIM2hNTDNKKyuOyRymgaD
4gxJoRL7XltTeewevUsu70bOXPnaYOkSL+gNIj8tB5z55MDS8cxqwmU9tP0rTNOP
gLr1XOWeQr2FB9PUPvOz7kk1O3gsZaHgWDEt6L9kGAV5ePszdyc2xq9D4kHUkgkQ
HnAFhuWza55+wZRO06WH7NUfCxtnQrW/Jff+PgOYSE1LBCnUtea6pRLWULNtGhKB
QH64rD93FJoxcTtsOYjmJrTi6XDC+ij16R6vNbu7tYh683Es0Fr4zxrdPQxU0mmo
bGjZ+QVdavkaVAXwNlFplHwHOpFRKiDRZLir/X+Qzlk5GvXVN7+5PJ8SHJ7tsjzt
TJ7iWX1zB9xe8YfVFcDxLsSEyi9b01Z69c1/SytD/iA6Jup+5CW3MLg8GGqDJ2TU
JMwg4SeBnLs/vRb+9VWFuyylbqbzCKH2tSxiApn6tA5AiIk8Qkkj6dQf7ol+isKV
vTl84XQ/cRfOAtmvo318
=5rjI
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: