Bug#1102603: openssh: CVE-2025-32728
Hi Colin,
On Tue, Apr 15, 2025 at 02:36:09PM +0100, Colin Watson wrote:
> On Thu, Apr 10, 2025 at 10:20:44PM +0200, Salvatore Bonaccorso wrote:
> > The following vulnerability was published for openssh.
> >
> > CVE-2025-32728[0]:
> > | In sshd in OpenSSH before 10.0, the DisableForwarding directive does
> > | not adhere to the documentation stating that it disables X11 and
> > | agent forwarding.
>
> I'd like to upload the attached changes to bookworm-security, as well as to
> bullseye-security for LTS (after the usual changelog finalization). Do
> these debdiffs look good to you? There's a bit of noise due to git deciding
> to serialize some patches slightly differently, but the added patch is the
> only effective change in both cases.
We initially marked it as no-dsa for bookworm and so the fix could go
to the next point release. But given you are suggesting a DSA, maybe
we might have missed something important here? Can you elaborate where
we might have overseen something makeing it warrant a DSA?
What I do understand is that the sshd side envforcing is so not doing
as documented, and AllowAgentForwarding is by default on yes, where
X11Forwarding is changed to default to yes in Debian.
So we have in any case a slight difference here in Debian vs.
upstream. ForwardAgent client side is disabled by default.
And this has been broken for afaiu so many years that batching the
update in the next point release seemed initially sufficient?
Regards,
Salvatore
Reply to: