[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Wed, 2 Apr 2008 13:39:37 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Jonathan Smith <smithj@...ethemallocs.com>
Subject: Re: CVE request: openssh "ForceCommand" improperly implemented
======================================================
Name: CVE-2008-1657
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1657
Reference: CONFIRM:http://www.openssh.com/txt/release-4.9
Reference: CONFIRM:https://issues.rpath.com/browse/RPL-2419
Reference: OPENBSD:[4.3] 001: SECURITY FIX: March 30, 2008
Reference: URL:http://www.openbsd.org/errata43.html#001_openssh
Reference: BID:28531
Reference: URL:http://www.securityfocus.com/bid/28531
Reference: FRSIRT:ADV-2008-1035
Reference: URL:http://www.frsirt.com/english/advisories/2008/1035/references
Reference: SECTRACK:1019733
Reference: URL:http://www.securitytracker.com/id?1019733
Reference: SECUNIA:29602
Reference: URL:http://secunia.com/advisories/29602
Reference: SECUNIA:29609
Reference: URL:http://secunia.com/advisories/29609
Reference: XF:openssh-forcecommand-command-execution(41549)
Reference: URL:http://xforce.iss.net/xforce/xfdb/41549
OpenSSH before 4.9 allows remote authenticated users to bypass the
sshd_config ForceCommand directive by modifying the .ssh/rc session
file.
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux