oss-sec mailing list archives

Re: CVE request: openssh "ForceCommand" improperly implemented

From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 2 Apr 2008 13:39:37 -0400 (EDT)


======================================================
Name: CVE-2008-1657
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1657
Reference: CONFIRM:http://www.openssh.com/txt/release-4.9
Reference: CONFIRM:https://issues.rpath.com/browse/RPL-2419
Reference: OPENBSD:[4.3] 001: SECURITY FIX: March 30, 2008
Reference: URL:http://www.openbsd.org/errata43.html#001_openssh
Reference: BID:28531
Reference: URL:http://www.securityfocus.com/bid/28531
Reference: FRSIRT:ADV-2008-1035
Reference: URL:http://www.frsirt.com/english/advisories/2008/1035/references
Reference: SECTRACK:1019733
Reference: URL:http://www.securitytracker.com/id?1019733
Reference: SECUNIA:29602
Reference: URL:http://secunia.com/advisories/29602
Reference: SECUNIA:29609
Reference: URL:http://secunia.com/advisories/29609
Reference: XF:openssh-forcecommand-command-execution(41549)
Reference: URL:http://xforce.iss.net/xforce/xfdb/41549

OpenSSH before 4.9 allows remote authenticated users to bypass the
sshd_config ForceCommand directive by modifying the .ssh/rc session
file.

Current thread:

CVE request: openssh "ForceCommand" improperly implemented Jonathan Smith (Apr 02)
- Re: CVE request: openssh "ForceCommand" improperly implemented Steven M. Christey (Apr 02)
- Re: CVE request: openssh "ForceCommand" improperly implemented Florian Weimer (Apr 02)