bugs.debian.org
Open in
urlscan Pro
2605:bc80:3010:b00:0:deb:166:212
Public Scan
Submitted URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445
Effective URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445
Submission: On November 27 via api from HU — Scanned from DE
Effective URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445
Submission: On November 27 via api from HU — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
DEBIAN BUG REPORT LOGS - #657445
OPENSSH-SERVER: FORCED COMMAND HANDLING LEAKS PRIVATE INFORMATION TO SSH CLIENTS
Package: openssh-server; Maintainer for openssh-server is Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>; Source for openssh-server is
src:openssh (PTS, buildd, popcon).
Affects: gitolite
Reported by: Bjoern Buerger <bbu@pengutronix.de>
Date: Thu, 26 Jan 2012 11:06:40 UTC
Severity: normal
Tags: security
Found in version openssh/1:5.5p1-6+squeeze1
Fixed in versions openssh/1:5.7p1-1, openssh/1:5.5p1-6+squeeze2
Done: Colin Watson <cjwatson@debian.org>
Bug is archived. No further changes may be made.
Display info messages
View this report as an mbox folder, status mbox, maintainer mbox
--------------------------------------------------------------------------------
Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Thu, 26 Jan 2012 11:06:44 GMT) (full text,
mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Bjoern Buerger <bbu@pengutronix.de>:
New Bug report received and forwarded. Copy sent to Debian OpenSSH Maintainers
<debian-ssh@lists.debian.org>. (Thu, 26 Jan 2012 11:06:45 GMT) (full text, mbox,
link).
--------------------------------------------------------------------------------
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
From: Bjoern Buerger <bbu@pengutronix.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openssh-server: Forced Command handling leaks private information to
ssh clients
Date: Thu, 26 Jan 2012 11:46:18 +0100
Package: openssh-server
Version: 1:5.5p1-6+squeeze1
Severity: normal
The handling of multiple forced commands in ~/.ssh/authorized key leaks
information about other configured forced commands to the user. This
affects tools lile gitolite, which makes heavy use of forced commands
(For gitolite, this bug means: A user can obtain some or all usernames
with access to the same gitolite setup by just using the verbose
switch of his ssh client, which is a really nasty thing).
Example:
User "bbu" on machine "ptx" has three configured forced commands for
keys test{1,2,3}_rsa.pub:
command="/usr/bin/first_command" ssh-rsa [...third_key...]
command="/usr/bin/second_command" ssh-rsa [...second_key...]
command="/usr/bin/third_command" ssh-rsa [...third_key...]
Now, if the user of test1_rsa.pub uses the "-v" switch of
his ssh client, he gets just his command:
foo@bar:~/ssh_debug$ ssh -i test1_rsa -v bbu@ptx 2>&1 | grep Forced\ command
debug1: Remote: Forced command: /usr/bin/first_command
debug1: Remote: Forced command: /usr/bin/first_command
but the user of test2_rsa.pub sees two commands:
foo@bar:~/ssh_debug$ ssh -i test2_rsa -v bbu@ptx 2>&1 | grep Forced\ command
debug1: Remote: Forced command: /usr/bin/first_command
debug1: Remote: Forced command: /usr/bin/second_command
debug1: Remote: Forced command: /usr/bin/first_command
debug1: Remote: Forced command: /usr/bin/second_command
and for user of test3_rsa.pub:
bbu@elara:~/ssh_debug$ ssh -i test3_rsa -v bbu@ptx 2>&1 | grep Forced\ command
debug1: Remote: Forced command: /usr/bin/first_command
debug1: Remote: Forced command: /usr/bin/second_command
debug1: Remote: Forced command: /usr/bin/third_command
debug1: Remote: Forced command: /usr/bin/first_command
debug1: Remote: Forced command: /usr/bin/second_command
debug1: Remote: Forced command: /usr/bin/third_command
-- System Information:
Debian Release: 6.0.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-server depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii debconf [debconf-2. 1.5.36.1 Debian configuration management sy
ii dpkg 1.15.8.11 Debian package management system
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-4stable1 common error description library
ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - k
ii libkrb5-3 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries
ii libpam-modules 1.1.1-6.1+squeeze1 Pluggable Authentication Modules f
ii libpam-runtime 1.1.1-6.1+squeeze1 Runtime support for the PAM librar
ii libpam0g 1.1.1-6.1+squeeze1 Pluggable Authentication Modules l
ii libselinux1 2.0.96-1 SELinux runtime shared libraries
ii libssl0.9.8 0.9.8o-4squeeze7 SSL shared libraries
ii libwrap0 7.6.q-19 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-client 1:5.5p1-6+squeeze1 secure shell (SSH) client, for sec
ii procps 1:3.2.8-9 /proc file system utilities
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages openssh-server recommends:
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.4-1 X authentication utility
Versions of packages openssh-server suggests:
pn molly-guard <none> (no description available)
pn rssh <none> (no description available)
pn ssh-askpass <none> (no description available)
pn ufw <none> (no description available)
-- debconf information excluded
--------------------------------------------------------------------------------
Added tag(s) security. Request was from Paul Wise <pabs@debian.org> to
control@bugs.debian.org. (Thu, 26 Jan 2012 14:09:37 GMT) (full text, mbox,
link).
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Thu, 26 Jan 2012 23:39:08 GMT) (full text,
mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Kurt Seifried <kseifried@redhat.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>. (Thu, 26 Jan 2012 23:39:08 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Message #12 received at 657445@bugs.debian.org (full text, mbox, reply):
From: Kurt Seifried <kseifried@redhat.com>
To: 657445@bugs.debian.org
Subject: Please use CVE-2012-0814 for this issue
Date: Thu, 26 Jan 2012 16:36:04 -0700
Please use CVE-2012-0814 for this issue
http://seclists.org/oss-sec/2012/q1/296
--
Kurt Seifried Red Hat Security Response Team (SRT)
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Fri, 27 Jan 2012 00:54:03 GMT) (full text,
mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Marc Deslauriers <marc.deslauriers@canonical.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>. (Fri, 27 Jan 2012 00:54:03 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Message #17 received at 657445@bugs.debian.org (full text, mbox, reply):
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: 657445@bugs.debian.org
Date: Thu, 26 Jan 2012 19:50:24 -0500
Looks like this:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54
--------------------------------------------------------------------------------
Added indication that 657445 affects gitolite Request was from Gerfried Fuchs
<rhonda@deb.at> to control@bugs.debian.org. (Fri, 27 Jan 2012 10:24:17 GMT)
(full text, mbox, link).
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Wed, 08 Feb 2012 17:48:08 GMT) (full text,
mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>. (Wed, 08 Feb 2012 17:48:08 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Message #24 received at 657445@bugs.debian.org (full text, mbox, reply):
From: Moritz Muehlenhoff <jmm@inutil.org>
To: Marc Deslauriers <marc.deslauriers@canonical.com>
Cc: 657445@bugs.debian.org, team@security.debian.org
Subject: Re: your mail
Date: Wed, 8 Feb 2012 18:44:26 +0100
On Thu, Jan 26, 2012 at 07:50:24PM -0500, Marc Deslauriers wrote:
> Looks like this:
>
> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54
Colin, can you fix this for the 6.0.5 point release?
Cheers,
Moritz
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Mon, 20 Feb 2012 03:27:10 GMT) (full text,
mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>. (Mon, 20 Feb 2012 03:27:10 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Message #29 received at 657445@bugs.debian.org (full text, mbox, reply):
From: Colin Watson <cjwatson@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 657445@bugs.debian.org
Cc: Marc Deslauriers <marc.deslauriers@canonical.com>, team@security.debian.org
Subject: Re: Bug#657445: your mail
Date: Mon, 20 Feb 2012 02:46:14 +0000
On Wed, Feb 08, 2012 at 06:44:26PM +0100, Moritz Muehlenhoff wrote:
> On Thu, Jan 26, 2012 at 07:50:24PM -0500, Marc Deslauriers wrote:
> > Looks like this:
> >
> > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54
>
> Colin, can you fix this for the 6.0.5 point release?
Yes - sorry for the delay, real life intervened fairly heavily. Do the
signed packages at master:~cjwatson/openssh/ meet your requirements? A
debdiff follows.
diff -Nru openssh-5.5p1/debian/changelog openssh-5.5p1/debian/changelog
--- openssh-5.5p1/debian/changelog 2011-07-28 17:44:13.000000000 +0100
+++ openssh-5.5p1/debian/changelog 2012-02-20 02:26:35.000000000 +0000
@@ -1,3 +1,11 @@
+openssh (1:5.5p1-6+squeeze2) stable-security; urgency=high
+
+ * CVE-2012-0814: Don't send the actual forced command in a debug message,
+ which allowed remote authenticated users to obtain potentially sensitive
+ information by reading these messages (closes: #657445).
+
+ -- Colin Watson <cjwatson@debian.org> Mon, 20 Feb 2012 02:23:55 +0000
+
openssh (1:5.5p1-6+squeeze1) stable; urgency=low
* Quieten logs when multiple from= restrictions are used in different
diff -Nru openssh-5.5p1/debian/patches/forced-command-debug-security.patch openssh-5.5p1/debian/patches/forced-command-debug-security.patch
--- openssh-5.5p1/debian/patches/forced-command-debug-security.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssh-5.5p1/debian/patches/forced-command-debug-security.patch 2012-02-20 02:18:45.000000000 +0000
@@ -0,0 +1,19 @@
+Description: Don't send the actual forced command in a debug message
+Origin: upstream, http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445
+Forwarded: not-needed
+Last-Update: 2012-02-20
+
+Index: b/auth-options.c
+===================================================================
+--- a/auth-options.c
++++ b/auth-options.c
+@@ -174,7 +174,7 @@
+ goto bad_option;
+ }
+ forced_command[i] = '\0';
+- auth_debug_add("Forced command: %.900s", forced_command);
++ auth_debug_add("Forced command.");
+ opts++;
+ goto next_option;
+ }
diff -Nru openssh-5.5p1/debian/patches/series openssh-5.5p1/debian/patches/series
--- openssh-5.5p1/debian/patches/series 2011-07-28 17:22:59.000000000 +0100
+++ openssh-5.5p1/debian/patches/series 2012-02-20 02:22:06.000000000 +0000
@@ -27,6 +27,9 @@
dnssec-sshfp.patch
auth-log-verbosity.patch
+# Security fixes
+forced-command-debug-security.patch
+
# Versioning
package-versioning.patch
debian-banner.patch
--
Colin Watson [cjwatson@debian.org]
--------------------------------------------------------------------------------
Bug Marked as fixed in versions openssh/1:5.7p1-1. Request was from Colin Watson
<cjwatson@debian.org> to control@bugs.debian.org. (Mon, 20 Feb 2012 03:27:11
GMT) (full text, mbox, link).
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Mon, 20 Feb 2012 10:06:03 GMT) (full text,
mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>. (Mon, 20 Feb 2012 10:06:07 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Message #36 received at 657445@bugs.debian.org (full text, mbox, reply):
From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Colin Watson" <cjwatson@debian.org>
Cc: 657445@bugs.debian.org, "Marc Deslauriers" <marc.deslauriers@canonical.com>,
team@security.debian.org
Subject: Re: Bug#657445: your mail
Date: Mon, 20 Feb 2012 11:04:20 +0100
Hi Colin,
On Mon, February 20, 2012 03:46, Colin Watson wrote:
> On Wed, Feb 08, 2012 at 06:44:26PM +0100, Moritz Muehlenhoff wrote:
>> On Thu, Jan 26, 2012 at 07:50:24PM -0500, Marc Deslauriers wrote:
>> > Looks like this:
>> >
>> > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54
>>
>> Colin, can you fix this for the 6.0.5 point release?
>
> Yes - sorry for the delay, real life intervened fairly heavily. Do the
> signed packages at master:~cjwatson/openssh/ meet your requirements? A
> debdiff follows.
Thanks for preparing this.
> diff -Nru openssh-5.5p1/debian/changelog openssh-5.5p1/debian/changelog
> --- openssh-5.5p1/debian/changelog 2011-07-28 17:44:13.000000000 +0100
> +++ openssh-5.5p1/debian/changelog 2012-02-20 02:26:35.000000000 +0000
> @@ -1,3 +1,11 @@
> +openssh (1:5.5p1-6+squeeze2) stable-security; urgency=high
The patch looks good, but the targeted distribution should be 'stable',
not 'stable-security', as the intention was to fix this through a stable
point update.
Cheers,
Thijs
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Mon, 20 Feb 2012 18:21:06 GMT) (full text,
mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>. (Mon, 20 Feb 2012 18:21:06 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Message #41 received at 657445@bugs.debian.org (full text, mbox, reply):
From: Moritz Muehlenhoff <jmm@inutil.org>
To: cjwatson@debian.org
Cc: 657445@bugs.debian.org, team@security.debian.org,
debian-release@lists.debian.org
Subject: Re: Bug#657445: your mail
Date: Mon, 20 Feb 2012 19:15:09 +0100
On Mon, Feb 20, 2012 at 11:04:20AM +0100, Thijs Kinkhorst wrote:
> Hi Colin,
>
> On Mon, February 20, 2012 03:46, Colin Watson wrote:
> > On Wed, Feb 08, 2012 at 06:44:26PM +0100, Moritz Muehlenhoff wrote:
> >> On Thu, Jan 26, 2012 at 07:50:24PM -0500, Marc Deslauriers wrote:
> >> > Looks like this:
> >> >
> >> > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54
> >>
> >> Colin, can you fix this for the 6.0.5 point release?
> >
> > Yes - sorry for the delay, real life intervened fairly heavily. Do the
> > signed packages at master:~cjwatson/openssh/ meet your requirements? A
> > debdiff follows.
>
> Thanks for preparing this.
>
> > diff -Nru openssh-5.5p1/debian/changelog openssh-5.5p1/debian/changelog
> > --- openssh-5.5p1/debian/changelog 2011-07-28 17:44:13.000000000 +0100
> > +++ openssh-5.5p1/debian/changelog 2012-02-20 02:26:35.000000000 +0000
> > @@ -1,3 +1,11 @@
> > +openssh (1:5.5p1-6+squeeze2) stable-security; urgency=high
>
> The patch looks good, but the targeted distribution should be 'stable',
> not 'stable-security', as the intention was to fix this through a stable
> point update.
The fix needs to be acked by the stable release managers, adding them to CC.
Cheers,
Moritz
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Mon, 20 Feb 2012 19:39:05 GMT) (full text,
mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>. (Mon, 20 Feb 2012 19:39:05 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Message #46 received at 657445@bugs.debian.org (full text, mbox, reply):
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: cjwatson@debian.org, 657445@bugs.debian.org, team@security.debian.org,
debian-release@lists.debian.org
Subject: Re: Bug#657445: your mail
Date: Mon, 20 Feb 2012 19:36:14 +0000
On Mon, 2012-02-20 at 19:15 +0100, Moritz Muehlenhoff wrote:
> On Mon, Feb 20, 2012 at 11:04:20AM +0100, Thijs Kinkhorst wrote:
> > On Mon, February 20, 2012 03:46, Colin Watson wrote:
> > > diff -Nru openssh-5.5p1/debian/changelog openssh-5.5p1/debian/changelog
> > > --- openssh-5.5p1/debian/changelog 2011-07-28 17:44:13.000000000 +0100
> > > +++ openssh-5.5p1/debian/changelog 2012-02-20 02:26:35.000000000 +0000
> > > @@ -1,3 +1,11 @@
> > > +openssh (1:5.5p1-6+squeeze2) stable-security; urgency=high
> >
> > The patch looks good, but the targeted distribution should be 'stable',
> > not 'stable-security', as the intention was to fix this through a stable
> > point update.
>
> The fix needs to be acked by the stable release managers, adding them to CC.
Hmmm, it would be nicer if it were still possible to log commands that
the key /should/ be permitted to access, but I'm guessing that would be
a more involved and invasive change.
Based on the debdiff in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445#29 , please go
ahead (with the distribution set to "stable" or "squeeze").
Regards,
Adam
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Tue, 21 Feb 2012 08:45:03 GMT) (full text,
mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>. (Tue, 21 Feb 2012 08:45:03 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Message #51 received at 657445@bugs.debian.org (full text, mbox, reply):
From: Colin Watson <cjwatson@debian.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 657445@bugs.debian.org,
team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#657445: your mail
Date: Tue, 21 Feb 2012 08:41:12 +0000
On Mon, Feb 20, 2012 at 07:36:14PM +0000, Adam D. Barratt wrote:
> On Mon, 2012-02-20 at 19:15 +0100, Moritz Muehlenhoff wrote:
> > On Mon, Feb 20, 2012 at 11:04:20AM +0100, Thijs Kinkhorst wrote:
> > > The patch looks good, but the targeted distribution should be 'stable',
> > > not 'stable-security', as the intention was to fix this through a stable
> > > point update.
I misunderstood. Sorry about that.
> > The fix needs to be acked by the stable release managers, adding them to CC.
>
> Hmmm, it would be nicer if it were still possible to log commands that
> the key /should/ be permitted to access, but I'm guessing that would be
> a more involved and invasive change.
This isn't an access list; it's a forced command, overriding whatever
the client tries to do. If authentication succeeds and it gets as far
as executing the command, then that's already logged at -d in the
server; see session.c:do_exec.
> Based on the debdiff in
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445#29 , please go
> ahead (with the distribution set to "stable" or "squeeze").
Uploaded, thanks.
--
Colin Watson [cjwatson@debian.org]
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Tue, 21 Feb 2012 19:03:08 GMT) (full text,
mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH
Maintainers <debian-ssh@lists.debian.org>. (Tue, 21 Feb 2012 19:03:08 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Message #56 received at 657445@bugs.debian.org (full text, mbox, reply):
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Colin Watson <cjwatson@debian.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 657445@bugs.debian.org,
team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#657445: your mail
Date: Tue, 21 Feb 2012 19:01:44 +0000
On Tue, 2012-02-21 at 08:41 +0000, Colin Watson wrote:
> On Mon, Feb 20, 2012 at 07:36:14PM +0000, Adam D. Barratt wrote:
> > On Mon, 2012-02-20 at 19:15 +0100, Moritz Muehlenhoff wrote:
> > > The fix needs to be acked by the stable release managers, adding them to CC.
> >
> > Hmmm, it would be nicer if it were still possible to log commands that
> > the key /should/ be permitted to access, but I'm guessing that would be
> > a more involved and invasive change.
>
> This isn't an access list; it's a forced command, overriding whatever
> the client tries to do.
Yeah, senior moment; apologies.
> > Based on the debdiff in
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445#29 , please go
> > ahead (with the distribution set to "stable" or "squeeze").
>
> Uploaded, thanks.
I've just flagged the package for acceptance into proposed-updates;
thanks.
Regards,
Adam
--------------------------------------------------------------------------------
Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Tue, 21 Feb 2012 19:21:06 GMT) (full text, mbox,
link).
--------------------------------------------------------------------------------
Notification sent to Bjoern Buerger <bbu@pengutronix.de>:
Bug acknowledged by developer. (Tue, 21 Feb 2012 19:21:06 GMT) (full text, mbox,
link).
--------------------------------------------------------------------------------
Message #61 received at 657445-close@bugs.debian.org (full text, mbox, reply):
From: Colin Watson <cjwatson@debian.org>
To: 657445-close@bugs.debian.org
Subject: Bug#657445: fixed in openssh 1:5.5p1-6+squeeze2
Date: Tue, 21 Feb 2012 19:17:11 +0000
Source: openssh
Source-Version: 1:5.5p1-6+squeeze2
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_5.5p1-6+squeeze2_i386.udeb
to main/o/openssh/openssh-client-udeb_5.5p1-6+squeeze2_i386.udeb
openssh-client_5.5p1-6+squeeze2_i386.deb
to main/o/openssh/openssh-client_5.5p1-6+squeeze2_i386.deb
openssh-server-udeb_5.5p1-6+squeeze2_i386.udeb
to main/o/openssh/openssh-server-udeb_5.5p1-6+squeeze2_i386.udeb
openssh-server_5.5p1-6+squeeze2_i386.deb
to main/o/openssh/openssh-server_5.5p1-6+squeeze2_i386.deb
openssh_5.5p1-6+squeeze2.debian.tar.gz
to main/o/openssh/openssh_5.5p1-6+squeeze2.debian.tar.gz
openssh_5.5p1-6+squeeze2.dsc
to main/o/openssh/openssh_5.5p1-6+squeeze2.dsc
ssh-askpass-gnome_5.5p1-6+squeeze2_i386.deb
to main/o/openssh/ssh-askpass-gnome_5.5p1-6+squeeze2_i386.deb
ssh-krb5_5.5p1-6+squeeze2_all.deb
to main/o/openssh/ssh-krb5_5.5p1-6+squeeze2_all.deb
ssh_5.5p1-6+squeeze2_all.deb
to main/o/openssh/ssh_5.5p1-6+squeeze2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 657445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 20 Feb 2012 02:23:55 +0000
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source all i386
Version: 1:5.5p1-6+squeeze2
Distribution: stable
Urgency: high
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 657445
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Changes:
openssh (1:5.5p1-6+squeeze2) stable; urgency=high
.
* CVE-2012-0814: Don't send the actual forced command in a debug message,
which allowed remote authenticated users to obtain potentially sensitive
information by reading these messages (closes: #657445).
Checksums-Sha1:
89b5aedc4dfb5e2876df5fa40c3313b5b572d9ed 2557 openssh_5.5p1-6+squeeze2.dsc
ceb108f0b33ff4e5c167fc0eb41c93ea22cfebbc 233367 openssh_5.5p1-6+squeeze2.debian.tar.gz
3d094e8dcbdcaf571185bf15518818b27f205189 881778 openssh-client_5.5p1-6+squeeze2_i386.deb
5319802d08acc7b0725f0816d267aa043bc446ea 298402 openssh-server_5.5p1-6+squeeze2_i386.deb
dfb2c8660b4700e4fcac8df396273202d5397714 1250 ssh_5.5p1-6+squeeze2_all.deb
ec6d537e0cc11e2d2bc76b81ca68d0254e2bd5fc 95606 ssh-krb5_5.5p1-6+squeeze2_all.deb
6423d75f63c93835533f33a7947b6d4f58a8dba9 103596 ssh-askpass-gnome_5.5p1-6+squeeze2_i386.deb
8395bf68345197de9daf9349ac9666e2454b7185 195664 openssh-client-udeb_5.5p1-6+squeeze2_i386.udeb
46d371ac35ee44238b63fb29d67d47971f159cba 218428 openssh-server-udeb_5.5p1-6+squeeze2_i386.udeb
Checksums-Sha256:
94c2efd5a2ab76c3e65ba69230c818da546d4e448ab225e4af3e82c48e041e55 2557 openssh_5.5p1-6+squeeze2.dsc
ecb30b1e40ac3446c3e3e6ffade5fe85656f084fcce3116184ad06101679bee0 233367 openssh_5.5p1-6+squeeze2.debian.tar.gz
48b9c646f9369c4518719cd6d84cdfa4271fff981d9e0f37ce900d730f6f8eda 881778 openssh-client_5.5p1-6+squeeze2_i386.deb
9f188d713a59ba4d6d6606ba3f864be5b2e0cdf43d3a4293c076068ca26f9d56 298402 openssh-server_5.5p1-6+squeeze2_i386.deb
91fa5c92e0c525d9bf679a8a3c35d539bf2f7db38c8e12c65eda21af3b630de0 1250 ssh_5.5p1-6+squeeze2_all.deb
2e81af056cb303462f52d715fc30c1d76ab7b476ae6df52716ad67672209b538 95606 ssh-krb5_5.5p1-6+squeeze2_all.deb
75c8f15fd4e2d0055cf83fe60195e3bcbdb1680ea4e451e04bae161a31f48e44 103596 ssh-askpass-gnome_5.5p1-6+squeeze2_i386.deb
7a3263a461dcd1d476479b351157b1bb86c1016da4e40261c200dcad07e80cb0 195664 openssh-client-udeb_5.5p1-6+squeeze2_i386.udeb
28f77fbec04398525336d92d8d197f552b693c10e0da1568d104e7626e7ce785 218428 openssh-server-udeb_5.5p1-6+squeeze2_i386.udeb
Files:
ce639f805e5c7b07623bf4cc26f5782f 2557 net standard openssh_5.5p1-6+squeeze2.dsc
c616a201b3e82a8eb3226eba13aa0016 233367 net standard openssh_5.5p1-6+squeeze2.debian.tar.gz
d3eaaf434db099c4671d36c63ed55188 881778 net standard openssh-client_5.5p1-6+squeeze2_i386.deb
53c5facf5e422739402d749ac81240ec 298402 net optional openssh-server_5.5p1-6+squeeze2_i386.deb
5575f145bfab822a04cea7d9b0e6b093 1250 net extra ssh_5.5p1-6+squeeze2_all.deb
37a3ffe077000eca4028719402e31320 95606 net extra ssh-krb5_5.5p1-6+squeeze2_all.deb
40998f5446f65301e5cf1a2e4e8b5bcd 103596 gnome optional ssh-askpass-gnome_5.5p1-6+squeeze2_i386.deb
85a30bd06c6070ed5f434dc435348212 195664 debian-installer optional openssh-client-udeb_5.5p1-6+squeeze2_i386.udeb
0051884bd9de85c5e276b72073ba6c67 218428 debian-installer optional openssh-server-udeb_5.5p1-6+squeeze2_i386.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iQIVAwUBT0NYODk1h9l9hlALAQiRqg/9HJ0ydtlAOSeOm3CrwgxTi7jPt0+6cAbF
fQpM/81V3WcMpIpg7jrBtkuduyqfB3tctYcdIBv0v5GhHeD8GGKDHi/k35/UmyI4
EKedk8XpR/+8G8564uwLOzBIPo+jc/a+PCXu1D4OuaUc4VwNZglYL5N2+MFZA4jv
Xex/OvjJS40nckAgjdDNeszUTUw8d/dD+av7iWz65cbBPflUcIATZ3PyDtVomkEZ
QcHPlNYG+Eu3VJhUwgI+S7LxWQZSfZNTvwUgj3JwJX4qMoRtSpVV8RHhcSiMvsA3
AeG1kZUDPYg0fnpTKTajmY95YQQnwfQRwxXmz0d7Wep6nF/2kF3Khzo3Z1XckGlC
oi9mAPIWtgLiEWVYurM7TiNz/1Hqc5Rsk3v4xE56d9jBZQ9axWfGSp8nPjssWdea
7vGmaDVBJWSiiwVN+HcPzfwZ6xtaNvDWWlcXyqD+ttuwzlXy3AypZfNgsbr7LGA2
C/l+xZx70WOYOZxjuXfg+fczmQr8uO29CDmg8cEUtnrlfll1C25YwohhppWebjcp
oYz+gZOvQ9v1Crnl843vC54BDbqQKR/HBKOpnGOne9uR/HcRLH4B+7z6Ujs2ybIJ
WlXtjUD9lejwMlHg1TBiU5M5Af+WhA9HdRXQ9GWEf3BKdLOrqSr6XJVfHY6NVBcu
PdXHBKFK8n4=
=xDPA
-----END PGP SIGNATURE-----
--------------------------------------------------------------------------------
Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org. (Wed, 21 Mar 2012 07:35:18 GMT) (full text,
mbox, link).
--------------------------------------------------------------------------------
Send a report that this bug log contains spam.
--------------------------------------------------------------------------------
Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified:
Wed Nov 27 10:30:37 2024; Machine Name: bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU Public License
version 2. The current version can be obtained from
https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97
Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.