https://bugzilla.mindrot.org/show_bug.cgi?id=2552
--- Comment #1 from Jakub Jelen <[email protected]> --- Thank you for bringing this upstream. The fact that SECURITY extension "breaks" applications is known problem for years, but when distros basically disabled untrusted forwarding, there was no reason for application developers to fix these problems. And now we are on the same page, >10 years later. But you miss one thing that changed. The XSECURITY extension is no longer enabled by default on current systems (at least Fedora/RHEL) and disabled upstream since 2007 in favour of X Access Control Extension (XACE). This caused CVE-2016-1908 (fallback from untrusted to trusted) when the extension is missing. Current behaviour is that untrusted X11 forwarding requests fail in this case My initial idea was to have a look into XACE, if it is mature enough and if it would be able to work with our X11 forwarding, but Wayland/xpra look also like an interesting way to go. I would be interested in others insights on this issue. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
