Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 01 Jul 2015 14:27:04 +0200
From: Andreas Stieger <astieger@...e.de>
To: cve-assign@...re.org
CC: oss-security@...ts.openwall.com
Subject: CVE Request: two security issues in openSSH 6.9

Hi,

The openSSH 6.9 release contains the following changes declared as
security issues:

http://www.openssh.com/txt/release-6.9

> Security
> --------
>
>  * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no,
>    connections made after ForwardX11Timeout expired could be permitted
>    and no longer subject to XSECURITY restrictions because of an
>    ineffective timeout check in ssh(1) coupled with "fail open"
>    behaviour in the X11 server when clients attempted connections with
>    expired credentials. This problem was reported by Jann Horn.

In the portable releases, this is 
https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d

>  * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
>    password guessing by implementing an increasing failure delay,
>    storing a salted hash of the password rather than the password
>    itself and using a timing-safe comparison function for verifying
>    unlock attempts. This problem was reported by Ryan Castellucci.

In the portable releases, this is
https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=9173d0fbe44de7ebcad8a15618e13a8b8d78902e

Could CVE-IDs be assigned for these please?

Andreas

-- 
Andreas Stieger <astieger@...e.de>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)



Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.