Date: Fri, 27 Jan 2012 22:46:22 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Yves-Alexis Perez <corsac@...ian.org>, djm@...nbsd.org, dtucker@...nbsd.org Subject: Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients > TL;DR anyone shipping OpenSSH portable 5.4 and 5.5 is vulnerable and needs to fix this. > > This may also affect OpenSSH 5.4/5.5 (non portable) which I'll test when I get home. Confirmed the code is basically identical, didn't actually run them to test (since it's been fixed in OpenBSD for quite some time now). -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ