Date: Fri, 27 Jan 2012 11:40:47 +0100 From: Yves-Alexis Perez <corsac@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients On jeu., 2012-01-26 at 19:49 -0500, Marc Deslauriers wrote: > > Please use CVE-2012-0814 for this issue. Also please let me know if > > other Linux distributions are affected! > > > > > > Looks like this (I haven't tried...): > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54 By the way, is the ForceCommand (and other directives) really supposed to be private for different keys (or, more widely, for different matches for the same user). Regards, -- Yves-Alexis
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ