Debian Bug report logs -
#475156
openssh-server: CVE-2008-1657 bypass of ForceCommand directive via session file modification
Reported by: Nico Golde <nion@debian.org>
Date: Wed, 9 Apr 2008 12:45:01 UTC
Severity: important
Tags: security
Found in version openssh/1:4.3p2-9
Fixed in version openssh/1:4.7p1-8
Done: Colin Watson <cjwatson@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
:
Bug#475156
; Package openssh-server
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: openssh-server
Version: 1:4.3p2-9
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openssh.
CVE-2008-1657[0]:
| OpenSSH before 4.9 allows remote authenticated users to bypass the
| sshd_config ForceCommand directive by modifying the .ssh/rc session
| file.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1657
http://security-tracker.debian.net/tracker/CVE-2008-1657
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug marked as fixed in version 1:4.7p1-8.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Wed, 09 Apr 2008 12:48:04 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
:
Bug#475156
; Package openssh-server
.
(full text, mbox, link).
Acknowledgement sent to Colin Watson <cjwatson@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
.
(full text, mbox, link).
Message #12 received at 475156@bugs.debian.org (full text, mbox, reply):
On Wed, Apr 09, 2008 at 02:41:48PM +0200, Nico Golde wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for openssh.
>
>
> CVE-2008-1657[0]:
> | OpenSSH before 4.9 allows remote authenticated users to bypass the
> | sshd_config ForceCommand directive by modifying the .ssh/rc session
> | file.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
At the time I fixed this, it didn't have a public CVE identifier. I've
retroactively filled it in (in CVS) now.
Cheers,
--
Colin Watson [cjwatson@debian.org]
Reply sent
to Colin Watson <cjwatson@debian.org>
:
You have taken responsibility.
(Mon, 04 Jan 2010 00:36:06 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(Mon, 04 Jan 2010 00:36:06 GMT) (full text, mbox, link).
Message #17 received at 475156-done@bugs.debian.org (full text, mbox, reply):
Source: openssh
Source-Version: 1:4.7p1-8
This was fixed ages ago, but inadvertently left open in at least some
BTS views. Closing properly now.
openssh (1:4.7p1-8) unstable; urgency=high
* Fill in CVE identifier for security vulnerability fixed in 1:4.7p1-5.
* Rename KeepAlive to TCPKeepAlive in sshd_config, cleaning up from old
configurations (LP: #211400).
* Tweak scp's reporting of filenames in verbose mode to be a bit less
confusing with spaces (thanks, Nicolas Valcárcel; LP: #89945).
* Backport from 4.9p1:
- CVE-2008-1657: Ignore ~/.ssh/rc if a sshd_config ForceCommand is
specified.
- Add no-user-rc authorized_keys option to disable execution of
~/.ssh/rc.
* Backport from Simon Wilkinson's GSSAPI key exchange patch for 5.0p1:
- Add code to actually implement GSSAPIStrictAcceptorCheck, which had
somehow been omitted from a previous version of this patch (closes:
#474246).
-- Colin Watson <cjwatson@debian.org> Sun, 06 Apr 2008 12:34:19 +0100
--
Colin Watson [cjwatson@debian.org]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 01 Feb 2010 07:31:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:07:18 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.