oss-sec mailing list archives
Re: CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams)
From: cve-assign () mitre org
Date: Thu, 4 Dec 2014 13:38:42 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
In a Kerberos environment, the Fedora and Red Hat Enterprise Linux 7 version of the OpenSSH server allows remote, authenticated users to log in as another user if they are listed in a ~/.k5users file of that other user. This unexpectedly alters the system security policy, as expressed through the ~/.k5users file, because previously, users would have to log in locally, potentially requiring different forms of authentication, before they could use the ksu command to switch users. Red Hat Bugzilla: <https://bugzilla.redhat.com/show_bug.cgi?id=1169843> Patch in upstream bug tracker: <https://bugzilla.mindrot.org/show_bug.cgi?id=1867>
Use CVE-2014-9278. - --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEVAwUBVICpvallVAevmvmsAQIxAAf/YmV0+A7+ebKjM1pyyDxCp9Ml2dPUATWe FMkw903aPqewYOlLahG4BTUw9wSak6MdNN7d6aQYuOq3IV040FOFuPmKnecHbP55 /hfyvqFaKncAIpUNE1Us+Au4HjiJnHERTEvHP9yt54W/2dwr8QavJhyQLEphcB54 SMknmBPpQdDfXNWMvZqwdcO4Hh9zfFg+nXnuUhNQdbCfCgP9OQaT23oomlFKZGKw yJnHIutgf/1wHqqd2ppDjpzdtD9aLM/rV5N66jDmSCi9ZGDF9IbqqbuDJqMEkeoF vQaHMF2cJG95YqRLLVRUeLl4vwtMDAoKLC4nC/x47+6l0FPfq1JBlQ== =cBRw -----END PGP SIGNATURE-----
Current thread:
- CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams) Florian Weimer (Dec 02)
- Re: CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams) cve-assign (Dec 04)