oss-sec mailing list archives
Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 27 Jan 2012 22:46:22 -0700
TL;DR anyone shipping OpenSSH portable 5.4 and 5.5 is vulnerable and needs to fix this. This may also affect OpenSSH 5.4/5.5 (non portable) which I'll test when I get home.
Confirmed the code is basically identical, didn't actually run them to test (since it's been fixed in OpenBSD for quite some time now). -- Kurt Seifried Red Hat Security Response Team (SRT)
Current thread:
- CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 26)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 26)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Marc Deslauriers (Jan 26)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Yves-Alexis Perez (Jan 27)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 27)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Yves-Alexis Perez (Jan 27)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 27)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 27)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Marc Deslauriers (Jan 26)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 26)