On Tue, Feb 27, 2024 at 12:56:47PM +0100, Csillag Tamas wrote: > * What led up to the situation? > After upgrading to debian 12 I am seeing directories in /tmp like: > ssh-XXXXXXnOKqkt, ssh-XXXXXXtGmfLV > * What was the outcome of this action? > * What outcome did you expect instead? > These directories are created by sshd. > In oldstable and OpenBSD the directories are as expected: > ssh-LwxtSMoGSV, ssh-JPcQMaBN6s > > The regression might be only in openssh-portable? > > As there are still 6 variable characters this might not be easily exploitable > security-wise and it used to be 10 just as in OpenBSD current.
This is the same as https://bugs.debian.org/1001186; it's fixed for the next development release, but not yet for bookworm. Since this doesn't appear to be immediately serious, my inclination is to queue this up to fix along with the next bookworm openssh security update (whenever that might be), but not to trouble the security team with it right away. Does that sound reasonable? Thanks, -- Colin Watson (he/him) [cjwat...@debian.org]