[Bug 227322] Re: [openssh] [CVE-2008-1657] possibility to bypass global "ForceCommand" directive
Colin Watson
cjwatson at canonical.com
Tue May 6 15:06:18 BST 2008
Already fixed in Hardy/Intrepid and backported to earlier releases.
Please look at the changelog as well as just the version number!
openssh (1:4.7p1-8) unstable; urgency=high
* Fill in CVE identifier for security vulnerability fixed in 1:4.7p1-5.
* Rename KeepAlive to TCPKeepAlive in sshd_config, cleaning up from old
configurations (LP: #211400).
* Tweak scp's reporting of filenames in verbose mode to be a bit less
confusing with spaces (thanks, Nicolas Valcárcel; LP: #89945).
* Backport from 4.9p1:
- Ignore ~/.ssh/rc if a sshd_config ForceCommand is specified (see
http://www.securityfocus.com/bid/28531/info).
- Add no-user-rc authorized_keys option to disable execution of
~/.ssh/rc.
* Backport from Simon Wilkinson's GSSAPI key exchange patch for 5.0p1:
- Add code to actually implement GSSAPIStrictAcceptorCheck, which had
somehow been omitted from a previous version of this patch (closes:
#474246).
-- Colin Watson <cjwatson at debian.org> Sun, 06 Apr 2008 12:34:19 +0100
I believe this is already on the security team's list for earlier
releases.
** Changed in: openssh (Ubuntu)
Status: New => Fix Released
** Changed in: openssh (Ubuntu)
Assignee: (unassigned) => Colin Watson (kamion)
--
[openssh] [CVE-2008-1657] possibility to bypass global "ForceCommand" directive
https://bugs.launchpad.net/bugs/227322
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.
More information about the Ubuntu-server-bugs
mailing list