Date: Tue, 02 Dec 2014 15:56:14 +0100 From: Florian Weimer <fweimer@...hat.com> To: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams) In a Kerberos environment, the Fedora and Red Hat Enterprise Linux 7 version of the OpenSSH server allows remote, authenticated users to log in as another user if they are listed in a ~/.k5users file of that other user. This unexpectedly alters the system security policy, as expressed through the ~/.k5users file, because previously, users would have to log in locally, potentially requiring different forms of authentication, before they could use the ksu command to switch users. Red Hat Bugzilla: <https://bugzilla.redhat.com/show_bug.cgi?id=1169843> Patch in upstream bug tracker: <https://bugzilla.mindrot.org/show_bug.cgi?id=1867> -- Florian Weimer / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.