Bug#1102603: openssh: CVE-2025-32728
Hi Colin,
On Wed, Apr 23, 2025 at 12:38:41PM +0100, Colin Watson wrote:
> On Tue, Apr 15, 2025 at 09:38:21PM +0200, Salvatore Bonaccorso wrote:
> > On Tue, Apr 15, 2025 at 02:36:09PM +0100, Colin Watson wrote:
> > > On Thu, Apr 10, 2025 at 10:20:44PM +0200, Salvatore Bonaccorso wrote:
> > > > The following vulnerability was published for openssh.
> > > >
> > > > CVE-2025-32728[0]:
> > > > | In sshd in OpenSSH before 10.0, the DisableForwarding directive does
> > > > | not adhere to the documentation stating that it disables X11 and
> > > > | agent forwarding.
> > >
> > > I'd like to upload the attached changes to bookworm-security, as well as to
> > > bullseye-security for LTS (after the usual changelog finalization). Do
> > > these debdiffs look good to you? There's a bit of noise due to git deciding
> > > to serialize some patches slightly differently, but the added patch is the
> > > only effective change in both cases.
> >
> > We initially marked it as no-dsa for bookworm and so the fix could go
> > to the next point release. But given you are suggesting a DSA, maybe
> > we might have missed something important here? Can you elaborate where
> > we might have overseen something makeing it warrant a DSA?
> >
> > What I do understand is that the sshd side envforcing is so not doing
> > as documented, and AllowAgentForwarding is by default on yes, where
> > X11Forwarding is changed to default to yes in Debian.
> > So we have in any case a slight difference here in Debian vs.
> > upstream. ForwardAgent client side is disabled by default.
> >
> > And this has been broken for afaiu so many years that batching the
> > update in the next point release seemed initially sufficient?
>
> No, that's fine, I hadn't noticed that you'd marked it as no-dsa. I'll file
> a stable update bug for it.
Thank you!
Regards,
Salvatore
Reply to: