Hi Colin, On Do 20 Aug 2015 00:50:02 CEST, Colin Watson wrote:
On Fri, Aug 07, 2015 at 11:30:07AM +0000, Debian Bug Tracking System wrote:openssh (1:5.5p1-6+squeeze6) squeeze-lts; urgency=medium . * Non-maintainer upload by the Debian LTS team. * CVE-2015-5352: Reject X11 connections after hard-coded Xauth cookie expiration time of 1200 seconds. (Closes: #790798). * CVE-2015-5600: Only query each keyboard-interactive device once per authentication request regardless of how many times it is listed. (Closes: #793616).I have not yet looked at the actual patch applied here, but please note that for versions of OpenSSH earlier than 6.5p1 (thus, squeeze and wheezy) there is a gotcha: you need the additional patch from https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1485719. If you didn't include that then I think you need to issue a follow-up advisory.
thanks for the info. Sorry for the delay in fixing openssh in squeeze-lts. I just uploaded 5.5p1-6+squeeze7, that fixes the issue.
Mike -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunweaver@debian.org, http://sunweavers.net
Attachment:
pgpLWnbnJ5aMS.pgp
Description: Digitale PGP-Signatur