Re: Re: Announce: Portable OpenSSH 7.2p2 released

[Gsunde Orangen <gsunde.orangen () gmail com>]

It should be noted, that the new openSSH 7.2p2 also includes the fix for
CVE-2016-1908 as it had been assigned here:
http://seclists.org/oss-sec/2016/q1/115

* SECURITY: Eliminate the fallback from untrusted X11-forwarding to trusted
forwarding for cases when the X server disables
  the SECURITY extension. Reported by Thomas Hoger.

The associated commit (
https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c)
did not make it into the last release as per last-minute decision (see:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html
)

Anybody, please correct me if I am wrong

2016-03-10 18:36 GMT+01:00 <cve-assign () mitre org>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> >  * sshd(8): sanitise X11 authentication credentials to avoid xauth
> >    command injection when X11Forwarding is enabled.
> >
> > http://www.openssh.com/txt/x11fwd.adv
> >
> > The contents of the credential's components (authentication
> > scheme and credential data) were not sanitised to exclude
> > meta-characters such as newlines.
>
> Use CVE-2016-3115.
>
>
> We also noticed this very recent entry in the Dropbear SSH changelog:
>
> > https://matt.ucc.asn.au/dropbear/CHANGES
> >
> > 2016.72 - 9 March 2016
> >
> > - Validate X11 forwarding input. Could allow bypass of authorized_keys
> command= restrictions,
> >   found by github.com/tintinweb. Thanks for Damien Miller for a patch.
>
> Use CVE-2016-3116.
>
> - --
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
> [ A PGP key is available for encrypted communications at
>   http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCAAGBQJW4bBqAAoJEL54rhJi8gl5tQEP/3580WbVSVM7XSOW3IyR5+GY
> ZoMmlEAafKV4BtSc/U/vlbvYSyLTQq7a2RPw8hWQrbjT8GPnE6YAxhYLC338eTIs
> UK0ETcZ04qbEglkvf3DFhWCdqrfQ9N8Qls00pebPa5nlIhUx8tf/qRt39Kle9hfJ
> T9Ni64gWYXIcRp2jXSlAeTHwuPqjZJpwLj1J18L+LKBytU07fxgaebdpeo9enakm
> z9ytFZZ95ibkvOr7aSLJ9QCLhD1pp1Lyuw0dWrcjcz7VZXMyvvAQTJ4aFKLWI/Zl
> Ygo8zBh0dKx82cGD1GyMRGtpryjYoNsq4FKKbe71qbCt2qVapHV9g0AZDf6AOZ2W
> vJ3j5md74cPllo06vuMpm8JhJQwOAqCe5wZG4WvOKy9h8ELy1DUlP+V6TFiF3GOm
> 8ehk58oVAu8Isgex3I4uNkTf4vhlufut5TkC+JJAA3klJFVrgq57pSk2PSTpGZR2
> //RudkF3fjivbndn20CRF7Qb1TUh4aQj96+r/yxBYZk18717ACO/MBO/SgCs9DiE
> VOl2Hpo+sDyhenEinwFFu1uJebSQqiAnHAKmWbpKAYWdDErcuN6PE00uYr/RAUW0
> qFo8E6bjy8emNL/Zw16x+dYb41Khh8KJp0ROobxbdbUBTlXUgSX6d301X0ZAVNXT
> JyxLlvwg5t1U9NgpiTEX
> =Wyah
> -----END PGP SIGNATURE-----