Hi Colin, On Fri, Jan 15, 2016 at 02:01:44PM +0000, Colin Watson wrote: > On Fri, Jan 15, 2016 at 02:50:33PM +0100, Yves-Alexis Perez wrote: > > On ven., 2016-01-15 at 14:47 +0100, Guido Günther wrote: > > > > I believe Yves-Alexis Perez is handing this. > > > > > > I figured Mike's mail is related to > > > > > > TEMP-0000000 Eliminate the fallback from untrusted X11-forwarding to > > > trusted forwarding for cases when the X server disables the SECURITY > > > extension > > > > > > not to CVE-2016-0777 CVE-2016-0778? > > > > We've not yet investigated the other, CVE-less vulnerabilities fixed by the > > last OpenSSH release (whether for the current stables or for LTS). > > OpenSSH upstream decided not to fix the untrusted->trusted forwarding > issue in 7.1p2 > (https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html). > I would recommend holding off on that until they've actually blessed a > fix for real.
I had a look at RedHat's analysis[1] and at Squeeze, Wheezy and Jessie: * Squeeze and Wheezy don't run "xhost +si:localuser:`id -un`" from xinit but we do so from Jessie on * we have the security extension enabled however Debian uses ForwardX11Trused=yes so I wonder if we can safely flag this as no-dsa needed for at least Wheezy and Squeeze since it does not seem to affect the default configuration in any way? Cheers, -- Guido > > https://security-tracker.debian.org/tracker/source-package/openssh is > mistaken in claiming that this is fixed in sid. It's not. > > -- > Colin Watson [cjwat...@debian.org] > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1298741