openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification

Debian Bug report logs - #475156
openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification

Date: Wed, 9 Apr 2008 14:41:48 +0200

[Message part 1 (text/plain, inline)]

Package: openssh-server
Version: 1:4.3p2-9
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openssh.


CVE-2008-1657[0]:
| OpenSSH before 4.9 allows remote authenticated users to bypass the
| sshd_config ForceCommand directive by modifying the .ssh/rc session
| file.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1657
    http://security-tracker.debian.net/tracker/CVE-2008-1657

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #12 received at 475156@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Nico Golde <nion@debian.org>, 475156@bugs.debian.org

Subject: Re: Bug#475156: openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification

Date: Wed, 9 Apr 2008 14:58:24 +0100

On Wed, Apr 09, 2008 at 02:41:48PM +0200, Nico Golde wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for openssh.
> 
> 
> CVE-2008-1657[0]:
> | OpenSSH before 4.9 allows remote authenticated users to bypass the
> | sshd_config ForceCommand directive by modifying the .ssh/rc session
> | file.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

At the time I fixed this, it didn't have a public CVE identifier. I've
retroactively filled it in (in CVS) now.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #17 received at 475156-done@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 475156-done@bugs.debian.org

Subject: fixed ages ago

Date: Mon, 4 Jan 2010 00:31:05 +0000

Source: openssh
Source-Version: 1:4.7p1-8

This was fixed ages ago, but inadvertently left open in at least some
BTS views. Closing properly now.

openssh (1:4.7p1-8) unstable; urgency=high

  * Fill in CVE identifier for security vulnerability fixed in 1:4.7p1-5.
  * Rename KeepAlive to TCPKeepAlive in sshd_config, cleaning up from old
    configurations (LP: #211400).
  * Tweak scp's reporting of filenames in verbose mode to be a bit less
    confusing with spaces (thanks, Nicolas Valcárcel; LP: #89945).
  * Backport from 4.9p1:
    - CVE-2008-1657: Ignore ~/.ssh/rc if a sshd_config ForceCommand is
      specified.
    - Add no-user-rc authorized_keys option to disable execution of
      ~/.ssh/rc.
  * Backport from Simon Wilkinson's GSSAPI key exchange patch for 5.0p1:
    - Add code to actually implement GSSAPIStrictAcceptorCheck, which had
      somehow been omitted from a previous version of this patch (closes:
      #474246).

 -- Colin Watson <cjwatson@debian.org>  Sun, 06 Apr 2008 12:34:19 +0100

-- 
Colin Watson                                       [cjwatson@debian.org]

Send a report that this bug log contains spam.