On mar., 2015-08-18 at 08:38 +0200, Salvatore Bonaccorso wrote: > Hi Luca, > > Thanks for forwarding. This seem to be relate to > https://bugs.debian.org/795711 which we actually marked previously as > no-dsa. But let's recheck if we missed something. The OpenSSH 7.0 announcement is a bit confusing on that topic. But I think it was marked no-dsa because the vulnerability needs another vulnerability in order to be able to achieve arbitrary code execution in the context of the sandboxed pre-authentication process. *IF* you have that possibility, a vulnerability in the monitor process could be exploited in order to bypass authentication. So as far as I can tell it's defense in depth and hardening, not a “root privilege escalation bug”. Maybe OpenSSH maintainers can comment on this, though. > > See you, > Salvatore > > (top-posting for context reference to the team) > > On Mon, Aug 17, 2015 at 10:08:46PM +0000, Filipozzi, Luca wrote: > > > > > > -- > > Luca Filipozzi > > Sent from my mobile. Blame auto-correct fur any errors. > > > > Begin forwarded message: > > > > From: Derek Poon <derekp@ece.ubc.ca<mailto:derekp@ece.ubc.ca>> > > Date: August 17, 2015 at 23:38:21 GMT+2 > > To: SNAG <snag@snag.ubc.ca<mailto:snag@snag.ubc.ca>> > > Subject: [snag] OpenSSH root privilege escalation > > Reply-To: Derek Poon <derekp@ece.ubc.ca<mailto:derekp@ece.ubc.ca>> > > > > SNAG, > > > > There is a root privilege escalation bug in OpenSSH, for versions > > from 5.9 to 6.9, and fixed in 7.0. There is no CVE number issued, > > and no word from Red Hat and Debian yet. > > > > > > Technical explanation: > > https://cxsecurity.com/issue/WLB-2015080072 > > > > OpenSSH 7.0 release announcement: > > http://lists.mindrot.org/pipermail/openssh-unix-announce/2015 > > -August/000122.html > > > > Ubuntu USN-2710-1: > > http://www.ubuntu.com/usn/usn-2710-1/ > > > > > > Derek Poon > > Infrastructure Special Projects Team -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part