On Wed, 2015-07-01 21:31:37 +0200, Moritz Muehlenhoff wrote: > Hi Colin, > CVE-2015-5352 was assigned to this change from 6.9: > >> * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no, >> connections made after ForwardX11Timeout expired could be permitted >> and no longer subject to XSECURITY restrictions because of an >> ineffective timeout check in ssh(1) coupled with "fail open" >> behaviour in the X11 server when clients attempted connections with >> expired credentials. This problem was reported by Jann Horn. > > Fix: > https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d
More information about CVE-2015-5352 is available at: https://thejh.net/written-stuff/openssh-6.8-xsecurity > I don't think this warrants a DSA, we can line up the fix for a future > DSA or a jessie point update. Or do yo disagree? > > Cheers, > Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org