oss-sec mailing list archives

Re: CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams)

From: cve-assign () mitre org
Date: Thu, 4 Dec 2014 13:38:42 -0500 (EST)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In a Kerberos environment, the Fedora and Red Hat Enterprise Linux 7 version
of the OpenSSH server allows remote, authenticated users to log in as
another user if they are listed in a ~/.k5users file of that other user.
This unexpectedly alters the system security policy, as expressed through
the ~/.k5users file, because previously, users would have to log in locally,
potentially requiring different forms of authentication, before they could
use the ksu command to switch users.

Red Hat Bugzilla:

  <https://bugzilla.redhat.com/show_bug.cgi?id=1169843>

Patch in upstream bug tracker:

  <https://bugzilla.mindrot.org/show_bug.cgi?id=1867>


Use CVE-2014-9278.

- ---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEVAwUBVICpvallVAevmvmsAQIxAAf/YmV0+A7+ebKjM1pyyDxCp9Ml2dPUATWe
FMkw903aPqewYOlLahG4BTUw9wSak6MdNN7d6aQYuOq3IV040FOFuPmKnecHbP55
/hfyvqFaKncAIpUNE1Us+Au4HjiJnHERTEvHP9yt54W/2dwr8QavJhyQLEphcB54
SMknmBPpQdDfXNWMvZqwdcO4Hh9zfFg+nXnuUhNQdbCfCgP9OQaT23oomlFKZGKw
yJnHIutgf/1wHqqd2ppDjpzdtD9aLM/rV5N66jDmSCi9ZGDF9IbqqbuDJqMEkeoF
vQaHMF2cJG95YqRLLVRUeLl4vwtMDAoKLC4nC/x47+6l0FPfq1JBlQ==
=cBRw
-----END PGP SIGNATURE-----

Current thread:

CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams) Florian Weimer (Dec 02)
- Re: CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams) cve-assign (Dec 04)