Re: squeeze update of openssh?
- To: Yves-Alexis Perez <corsac@debian.org>
- Cc: Guido Günther <agx@sigxcpu.org>, Ben Hutchings <ben@decadent.org.uk>, Mike Gabriel <sunweaver@debian.org>, debian-lts@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>, Matthew Vernon <matthew@debian.org>
- Subject: Re: squeeze update of openssh?
- From: Colin Watson <cjwatson@debian.org>
- Date: Fri, 15 Jan 2016 14:01:44 +0000
- Message-id: <[🔎] 20160115140144.GK2181@riva.ucam.org>
- Mail-followup-to: Yves-Alexis Perez <corsac@debian.org>, Guido Günther <agx@sigxcpu.org>, Ben Hutchings <ben@decadent.org.uk>, Mike Gabriel <sunweaver@debian.org>, debian-lts@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>, Matthew Vernon <matthew@debian.org>
- In-reply-to: <[🔎] 1452865833.15013.79.camel@debian.org>
- References: <[🔎] 20160115104622.GA5647@minobo.das-netzwerkteam.de> <[🔎] 1452864937.2519.5.camel@decadent.org.uk> <[🔎] 20160115134712.GB32596@bogon.m.sigxcpu.org> <[🔎] 1452865833.15013.79.camel@debian.org>
On Fri, Jan 15, 2016 at 02:50:33PM +0100, Yves-Alexis Perez wrote:
> On ven., 2016-01-15 at 14:47 +0100, Guido Günther wrote:
> > > I believe Yves-Alexis Perez is handing this.
> >
> > I figured Mike's mail is related to
> >
> > TEMP-0000000 Eliminate the fallback from untrusted X11-forwarding to
> > trusted forwarding for cases when the X server disables the SECURITY
> > extension
> >
> > not to CVE-2016-0777 CVE-2016-0778?
>
> We've not yet investigated the other, CVE-less vulnerabilities fixed by the
> last OpenSSH release (whether for the current stables or for LTS).
OpenSSH upstream decided not to fix the untrusted->trusted forwarding
issue in 7.1p2
(https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html).
I would recommend holding off on that until they've actually blessed a
fix for real.
https://security-tracker.debian.org/tracker/source-package/openssh is
mistaken in claiming that this is fixed in sid. It's not.
--
Colin Watson [cjwatson@debian.org]
Reply to: