oss-sec mailing list archives
CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams)
From: Florian Weimer <fweimer () redhat com>
Date: Tue, 02 Dec 2014 15:56:14 +0100
In a Kerberos environment, the Fedora and Red Hat Enterprise Linux 7 version of the OpenSSH server allows remote, authenticated users to log in as another user if they are listed in a ~/.k5users file of that other user. This unexpectedly alters the system security policy, as expressed through the ~/.k5users file, because previously, users would have to log in locally, potentially requiring different forms of authentication, before they could use the ksu command to switch users.
Red Hat Bugzilla: <https://bugzilla.redhat.com/show_bug.cgi?id=1169843> Patch in upstream bug tracker: <https://bugzilla.mindrot.org/show_bug.cgi?id=1867> -- Florian Weimer / Red Hat Product Security
Current thread:
- CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams) Florian Weimer (Dec 02)
- Re: CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams) cve-assign (Dec 04)