Hi Colin, On Tue, Apr 15, 2025 at 02:36:09PM +0100, Colin Watson wrote: > On Thu, Apr 10, 2025 at 10:20:44PM +0200, Salvatore Bonaccorso wrote: > > The following vulnerability was published for openssh. > > > > CVE-2025-32728[0]: > > | In sshd in OpenSSH before 10.0, the DisableForwarding directive does > > | not adhere to the documentation stating that it disables X11 and > > | agent forwarding. > > I'd like to upload the attached changes to bookworm-security, as well as to > bullseye-security for LTS (after the usual changelog finalization). Do > these debdiffs look good to you? There's a bit of noise due to git deciding > to serialize some patches slightly differently, but the added patch is the > only effective change in both cases.
We initially marked it as no-dsa for bookworm and so the fix could go to the next point release. But given you are suggesting a DSA, maybe we might have missed something important here? Can you elaborate where we might have overseen something makeing it warrant a DSA? What I do understand is that the sshd side envforcing is so not doing as documented, and AllowAgentForwarding is by default on yes, where X11Forwarding is changed to default to yes in Debian. So we have in any case a slight difference here in Debian vs. upstream. ForwardAgent client side is disabled by default. And this has been broken for afaiu so many years that batching the update in the next point release seemed initially sufficient? Regards, Salvatore
