oss-sec mailing list archives

Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients

From: Yves-Alexis Perez <corsac () debian org>
Date: Fri, 27 Jan 2012 11:40:47 +0100

On jeu., 2012-01-26 at 19:49 -0500, Marc Deslauriers wrote:

Please use CVE-2012-0814 for this issue. Also please let me know if
other Linux distributions are affected!


Looks like this (I haven't tried...):

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54


By the way, is the ForceCommand (and other directives) really supposed
to be private for different keys (or, more widely, for different matches
for the same user).

Regards,
-- 
Yves-Alexis

Current thread:

CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 26)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 26)
  - Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Marc Deslauriers (Jan 26)
    - Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Yves-Alexis Perez (Jan 27)
    - Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 27)
    - Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Yves-Alexis Perez (Jan 27)
    - Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 27)
    - Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 27)