Date: Fri, 27 Jan 2012 09:59:49 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Yves-Alexis Perez <corsac@...ian.org> Subject: Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients On 01/27/2012 03:40 AM, Yves-Alexis Perez wrote: > On jeu., 2012-01-26 at 19:49 -0500, Marc Deslauriers wrote: >>> Please use CVE-2012-0814 for this issue. Also please let me know if >>> other Linux distributions are affected! >>> >>> >> >> Looks like this (I haven't tried...): >> >> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54 > > By the way, is the ForceCommand (and other directives) really supposed > to be private for different keys (or, more widely, for different matches > for the same user). > > Regards, I created three separate keys, so three separate accounts. I can't see any valid reason that account #3 (that is the third key listed) should be able to see the first and second force commands. These commands could contain sensitive commands/passwords (e.g. log in with a key to trigger some automated job by the backup user) for example. -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.