Debian Bug report logs - #657445
openssh-server: Forced Command handling leaks private information to ssh clients

version graph

Package: openssh-server; Maintainer for openssh-server is Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>; Source for openssh-server is src:openssh.

Reported by: Bjoern Buerger <bbu@pengutronix.de>

Date: Thu, 26 Jan 2012 11:06:40 UTC

Severity: normal

Tags: security

Found in version openssh/1:5.5p1-6+squeeze1

Fixed in versions openssh/1:5.7p1-1, openssh/1:5.5p1-6+squeeze2

Done: Colin Watson <cjwatson@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Thu, 26 Jan 2012 11:06:44 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bjoern Buerger <bbu@pengutronix.de>:
New Bug report received and forwarded. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Thu, 26 Jan 2012 11:06:45 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bjoern Buerger <bbu@pengutronix.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openssh-server: Forced Command handling leaks private information to ssh clients
Date: Thu, 26 Jan 2012 11:46:18 +0100
Package: openssh-server
Version: 1:5.5p1-6+squeeze1
Severity: normal


The handling of multiple forced commands in ~/.ssh/authorized key leaks
information about other configured forced commands to the user. This
affects tools lile gitolite, which makes heavy use of forced commands
(For gitolite, this bug means: A user can obtain some or all usernames 
 with access to the same gitolite setup by just using the verbose
 switch of his ssh client, which is a really nasty thing).

Example: 
 
 User "bbu" on machine "ptx" has three configured forced commands for
 keys test{1,2,3}_rsa.pub:

 command="/usr/bin/first_command" ssh-rsa [...third_key...]
 command="/usr/bin/second_command" ssh-rsa [...second_key...]
 command="/usr/bin/third_command" ssh-rsa [...third_key...]

 Now, if the user of test1_rsa.pub uses the "-v" switch of
 his ssh client, he gets just his command:

 foo@bar:~/ssh_debug$ ssh -i test1_rsa -v bbu@ptx 2>&1 | grep Forced\ command
 debug1: Remote: Forced command: /usr/bin/first_command
 debug1: Remote: Forced command: /usr/bin/first_command

 but the user of test2_rsa.pub sees two commands:

 foo@bar:~/ssh_debug$ ssh -i test2_rsa -v bbu@ptx 2>&1 | grep Forced\ command
 debug1: Remote: Forced command: /usr/bin/first_command
 debug1: Remote: Forced command: /usr/bin/second_command
 debug1: Remote: Forced command: /usr/bin/first_command
 debug1: Remote: Forced command: /usr/bin/second_command

 and for user of test3_rsa.pub:

 bbu@elara:~/ssh_debug$ ssh -i test3_rsa -v bbu@ptx 2>&1 | grep Forced\ command
 debug1: Remote: Forced command: /usr/bin/first_command
 debug1: Remote: Forced command: /usr/bin/second_command
 debug1: Remote: Forced command: /usr/bin/third_command
 debug1: Remote: Forced command: /usr/bin/first_command
 debug1: Remote: Forced command: /usr/bin/second_command
 debug1: Remote: Forced command: /usr/bin/third_command


-- System Information:
Debian Release: 6.0.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-server depends on:
ii  adduser             3.112+nmu2           add and remove users and groups
ii  debconf [debconf-2. 1.5.36.1             Debian configuration management sy
ii  dpkg                1.15.8.11            Debian package management system
ii  libc6               2.11.2-10            Embedded GNU C Library: Shared lib
ii  libcomerr2          1.41.12-4stable1     common error description library
ii  libgssapi-krb5-2    1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - k
ii  libkrb5-3           1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries
ii  libpam-modules      1.1.1-6.1+squeeze1   Pluggable Authentication Modules f
ii  libpam-runtime      1.1.1-6.1+squeeze1   Runtime support for the PAM librar
ii  libpam0g            1.1.1-6.1+squeeze1   Pluggable Authentication Modules l
ii  libselinux1         2.0.96-1             SELinux runtime shared libraries
ii  libssl0.9.8         0.9.8o-4squeeze7     SSL shared libraries
ii  libwrap0            7.6.q-19             Wietse Venema's TCP wrappers libra
ii  lsb-base            3.2-23.2squeeze1     Linux Standard Base 3.2 init scrip
ii  openssh-blacklist   0.4.1                list of default blacklisted OpenSS
ii  openssh-client      1:5.5p1-6+squeeze1   secure shell (SSH) client, for sec
ii  procps              1:3.2.8-9            /proc file system utilities
ii  zlib1g              1:1.2.3.4.dfsg-3     compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.4-1  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                   <none>     (no description available)
pn  rssh                          <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)
pn  ufw                           <none>     (no description available)

-- debconf information excluded




Added tag(s) security. Request was from Paul Wise <pabs@debian.org> to control@bugs.debian.org. (Thu, 26 Jan 2012 14:09:37 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Thu, 26 Jan 2012 23:39:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Seifried <kseifried@redhat.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Thu, 26 Jan 2012 23:39:08 GMT) Full text and rfc822 format available.

Message #12 received at 657445@bugs.debian.org (full text, mbox):

From: Kurt Seifried <kseifried@redhat.com>
To: 657445@bugs.debian.org
Subject: Please use CVE-2012-0814 for this issue
Date: Thu, 26 Jan 2012 16:36:04 -0700
Please use CVE-2012-0814 for this issue

http://seclists.org/oss-sec/2012/q1/296

-- 
Kurt Seifried Red Hat Security Response Team (SRT)




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Fri, 27 Jan 2012 00:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Deslauriers <marc.deslauriers@canonical.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Fri, 27 Jan 2012 00:54:03 GMT) Full text and rfc822 format available.

Message #17 received at 657445@bugs.debian.org (full text, mbox):

From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: 657445@bugs.debian.org
Date: Thu, 26 Jan 2012 19:50:24 -0500
Looks like this:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54





Added indication that 657445 affects gitolite Request was from Gerfried Fuchs <rhonda@deb.at> to control@bugs.debian.org. (Fri, 27 Jan 2012 10:24:17 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Wed, 08 Feb 2012 17:48:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Wed, 08 Feb 2012 17:48:08 GMT) Full text and rfc822 format available.

Message #24 received at 657445@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Marc Deslauriers <marc.deslauriers@canonical.com>
Cc: 657445@bugs.debian.org, team@security.debian.org
Subject: Re: your mail
Date: Wed, 8 Feb 2012 18:44:26 +0100
On Thu, Jan 26, 2012 at 07:50:24PM -0500, Marc Deslauriers wrote:
> Looks like this:
> 
> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54

Colin, can you fix this for the 6.0.5 point release?

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Mon, 20 Feb 2012 03:27:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Mon, 20 Feb 2012 03:27:10 GMT) Full text and rfc822 format available.

Message #29 received at 657445@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 657445@bugs.debian.org
Cc: Marc Deslauriers <marc.deslauriers@canonical.com>, team@security.debian.org
Subject: Re: Bug#657445: your mail
Date: Mon, 20 Feb 2012 02:46:14 +0000
On Wed, Feb 08, 2012 at 06:44:26PM +0100, Moritz Muehlenhoff wrote:
> On Thu, Jan 26, 2012 at 07:50:24PM -0500, Marc Deslauriers wrote:
> > Looks like this:
> > 
> > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54
> 
> Colin, can you fix this for the 6.0.5 point release?

Yes - sorry for the delay, real life intervened fairly heavily.  Do the
signed packages at master:~cjwatson/openssh/ meet your requirements?  A
debdiff follows.

diff -Nru openssh-5.5p1/debian/changelog openssh-5.5p1/debian/changelog
--- openssh-5.5p1/debian/changelog	2011-07-28 17:44:13.000000000 +0100
+++ openssh-5.5p1/debian/changelog	2012-02-20 02:26:35.000000000 +0000
@@ -1,3 +1,11 @@
+openssh (1:5.5p1-6+squeeze2) stable-security; urgency=high
+
+  * CVE-2012-0814: Don't send the actual forced command in a debug message,
+    which allowed remote authenticated users to obtain potentially sensitive
+    information by reading these messages (closes: #657445).
+
+ -- Colin Watson <cjwatson@debian.org>  Mon, 20 Feb 2012 02:23:55 +0000
+
 openssh (1:5.5p1-6+squeeze1) stable; urgency=low
 
   * Quieten logs when multiple from= restrictions are used in different
diff -Nru openssh-5.5p1/debian/patches/forced-command-debug-security.patch openssh-5.5p1/debian/patches/forced-command-debug-security.patch
--- openssh-5.5p1/debian/patches/forced-command-debug-security.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-5.5p1/debian/patches/forced-command-debug-security.patch	2012-02-20 02:18:45.000000000 +0000
@@ -0,0 +1,19 @@
+Description: Don't send the actual forced command in a debug message
+Origin: upstream, http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445
+Forwarded: not-needed
+Last-Update: 2012-02-20
+
+Index: b/auth-options.c
+===================================================================
+--- a/auth-options.c
++++ b/auth-options.c
+@@ -174,7 +174,7 @@
+ 				goto bad_option;
+ 			}
+ 			forced_command[i] = '\0';
+-			auth_debug_add("Forced command: %.900s", forced_command);
++			auth_debug_add("Forced command.");
+ 			opts++;
+ 			goto next_option;
+ 		}
diff -Nru openssh-5.5p1/debian/patches/series openssh-5.5p1/debian/patches/series
--- openssh-5.5p1/debian/patches/series	2011-07-28 17:22:59.000000000 +0100
+++ openssh-5.5p1/debian/patches/series	2012-02-20 02:22:06.000000000 +0000
@@ -27,6 +27,9 @@
 dnssec-sshfp.patch
 auth-log-verbosity.patch
 
+# Security fixes
+forced-command-debug-security.patch
+
 # Versioning
 package-versioning.patch
 debian-banner.patch

-- 
Colin Watson                                       [cjwatson@debian.org]




Bug Marked as fixed in versions openssh/1:5.7p1-1. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. (Mon, 20 Feb 2012 03:27:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Mon, 20 Feb 2012 10:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Mon, 20 Feb 2012 10:06:07 GMT) Full text and rfc822 format available.

Message #36 received at 657445@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Colin Watson" <cjwatson@debian.org>
Cc: 657445@bugs.debian.org, "Marc Deslauriers" <marc.deslauriers@canonical.com>, team@security.debian.org
Subject: Re: Bug#657445: your mail
Date: Mon, 20 Feb 2012 11:04:20 +0100
Hi Colin,

On Mon, February 20, 2012 03:46, Colin Watson wrote:
> On Wed, Feb 08, 2012 at 06:44:26PM +0100, Moritz Muehlenhoff wrote:
>> On Thu, Jan 26, 2012 at 07:50:24PM -0500, Marc Deslauriers wrote:
>> > Looks like this:
>> >
>> > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54
>>
>> Colin, can you fix this for the 6.0.5 point release?
>
> Yes - sorry for the delay, real life intervened fairly heavily.  Do the
> signed packages at master:~cjwatson/openssh/ meet your requirements?  A
> debdiff follows.

Thanks for preparing this.

> diff -Nru openssh-5.5p1/debian/changelog openssh-5.5p1/debian/changelog
> --- openssh-5.5p1/debian/changelog	2011-07-28 17:44:13.000000000 +0100
> +++ openssh-5.5p1/debian/changelog	2012-02-20 02:26:35.000000000 +0000
> @@ -1,3 +1,11 @@
> +openssh (1:5.5p1-6+squeeze2) stable-security; urgency=high

The patch looks good, but the targeted distribution should be 'stable',
not 'stable-security', as the intention was to fix this through a stable
point update.


Cheers,
Thijs





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Mon, 20 Feb 2012 18:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Mon, 20 Feb 2012 18:21:06 GMT) Full text and rfc822 format available.

Message #41 received at 657445@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: cjwatson@debian.org
Cc: 657445@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#657445: your mail
Date: Mon, 20 Feb 2012 19:15:09 +0100
On Mon, Feb 20, 2012 at 11:04:20AM +0100, Thijs Kinkhorst wrote:
> Hi Colin,
> 
> On Mon, February 20, 2012 03:46, Colin Watson wrote:
> > On Wed, Feb 08, 2012 at 06:44:26PM +0100, Moritz Muehlenhoff wrote:
> >> On Thu, Jan 26, 2012 at 07:50:24PM -0500, Marc Deslauriers wrote:
> >> > Looks like this:
> >> >
> >> > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54
> >>
> >> Colin, can you fix this for the 6.0.5 point release?
> >
> > Yes - sorry for the delay, real life intervened fairly heavily.  Do the
> > signed packages at master:~cjwatson/openssh/ meet your requirements?  A
> > debdiff follows.
> 
> Thanks for preparing this.
> 
> > diff -Nru openssh-5.5p1/debian/changelog openssh-5.5p1/debian/changelog
> > --- openssh-5.5p1/debian/changelog	2011-07-28 17:44:13.000000000 +0100
> > +++ openssh-5.5p1/debian/changelog	2012-02-20 02:26:35.000000000 +0000
> > @@ -1,3 +1,11 @@
> > +openssh (1:5.5p1-6+squeeze2) stable-security; urgency=high
> 
> The patch looks good, but the targeted distribution should be 'stable',
> not 'stable-security', as the intention was to fix this through a stable
> point update.

The fix needs to be acked by the stable release managers, adding them to CC.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Mon, 20 Feb 2012 19:39:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Mon, 20 Feb 2012 19:39:05 GMT) Full text and rfc822 format available.

Message #46 received at 657445@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: cjwatson@debian.org, 657445@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#657445: your mail
Date: Mon, 20 Feb 2012 19:36:14 +0000
On Mon, 2012-02-20 at 19:15 +0100, Moritz Muehlenhoff wrote:
> On Mon, Feb 20, 2012 at 11:04:20AM +0100, Thijs Kinkhorst wrote:
> > On Mon, February 20, 2012 03:46, Colin Watson wrote:
> > > diff -Nru openssh-5.5p1/debian/changelog openssh-5.5p1/debian/changelog
> > > --- openssh-5.5p1/debian/changelog	2011-07-28 17:44:13.000000000 +0100
> > > +++ openssh-5.5p1/debian/changelog	2012-02-20 02:26:35.000000000 +0000
> > > @@ -1,3 +1,11 @@
> > > +openssh (1:5.5p1-6+squeeze2) stable-security; urgency=high
> > 
> > The patch looks good, but the targeted distribution should be 'stable',
> > not 'stable-security', as the intention was to fix this through a stable
> > point update.
> 
> The fix needs to be acked by the stable release managers, adding them to CC.

Hmmm, it would be nicer if it were still possible to log commands that
the key /should/ be permitted to access, but I'm guessing that would be
a more involved and invasive change.

Based on the debdiff in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445#29 , please go
ahead (with the distribution set to "stable" or "squeeze").

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Tue, 21 Feb 2012 08:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Tue, 21 Feb 2012 08:45:03 GMT) Full text and rfc822 format available.

Message #51 received at 657445@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 657445@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#657445: your mail
Date: Tue, 21 Feb 2012 08:41:12 +0000
On Mon, Feb 20, 2012 at 07:36:14PM +0000, Adam D. Barratt wrote:
> On Mon, 2012-02-20 at 19:15 +0100, Moritz Muehlenhoff wrote:
> > On Mon, Feb 20, 2012 at 11:04:20AM +0100, Thijs Kinkhorst wrote:
> > > The patch looks good, but the targeted distribution should be 'stable',
> > > not 'stable-security', as the intention was to fix this through a stable
> > > point update.

I misunderstood.  Sorry about that.

> > The fix needs to be acked by the stable release managers, adding them to CC.
> 
> Hmmm, it would be nicer if it were still possible to log commands that
> the key /should/ be permitted to access, but I'm guessing that would be
> a more involved and invasive change.

This isn't an access list; it's a forced command, overriding whatever
the client tries to do.  If authentication succeeds and it gets as far
as executing the command, then that's already logged at -d in the
server; see session.c:do_exec.

> Based on the debdiff in
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445#29 , please go
> ahead (with the distribution set to "stable" or "squeeze").

Uploaded, thanks.

-- 
Colin Watson                                       [cjwatson@debian.org]




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#657445; Package openssh-server. (Tue, 21 Feb 2012 19:03:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Tue, 21 Feb 2012 19:03:08 GMT) Full text and rfc822 format available.

Message #56 received at 657445@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Colin Watson <cjwatson@debian.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 657445@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#657445: your mail
Date: Tue, 21 Feb 2012 19:01:44 +0000
On Tue, 2012-02-21 at 08:41 +0000, Colin Watson wrote:
> On Mon, Feb 20, 2012 at 07:36:14PM +0000, Adam D. Barratt wrote:
> > On Mon, 2012-02-20 at 19:15 +0100, Moritz Muehlenhoff wrote:
> > > The fix needs to be acked by the stable release managers, adding them to CC.
> > 
> > Hmmm, it would be nicer if it were still possible to log commands that
> > the key /should/ be permitted to access, but I'm guessing that would be
> > a more involved and invasive change.
> 
> This isn't an access list; it's a forced command, overriding whatever
> the client tries to do.

Yeah, senior moment; apologies.

> > Based on the debdiff in
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445#29 , please go
> > ahead (with the distribution set to "stable" or "squeeze").
> 
> Uploaded, thanks.

I've just flagged the package for acceptance into proposed-updates;
thanks.

Regards,

Adam





Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Tue, 21 Feb 2012 19:21:06 GMT) Full text and rfc822 format available.

Notification sent to Bjoern Buerger <bbu@pengutronix.de>:
Bug acknowledged by developer. (Tue, 21 Feb 2012 19:21:06 GMT) Full text and rfc822 format available.

Message #61 received at 657445-close@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: 657445-close@bugs.debian.org
Subject: Bug#657445: fixed in openssh 1:5.5p1-6+squeeze2
Date: Tue, 21 Feb 2012 19:17:11 +0000
Source: openssh
Source-Version: 1:5.5p1-6+squeeze2

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_5.5p1-6+squeeze2_i386.udeb
  to main/o/openssh/openssh-client-udeb_5.5p1-6+squeeze2_i386.udeb
openssh-client_5.5p1-6+squeeze2_i386.deb
  to main/o/openssh/openssh-client_5.5p1-6+squeeze2_i386.deb
openssh-server-udeb_5.5p1-6+squeeze2_i386.udeb
  to main/o/openssh/openssh-server-udeb_5.5p1-6+squeeze2_i386.udeb
openssh-server_5.5p1-6+squeeze2_i386.deb
  to main/o/openssh/openssh-server_5.5p1-6+squeeze2_i386.deb
openssh_5.5p1-6+squeeze2.debian.tar.gz
  to main/o/openssh/openssh_5.5p1-6+squeeze2.debian.tar.gz
openssh_5.5p1-6+squeeze2.dsc
  to main/o/openssh/openssh_5.5p1-6+squeeze2.dsc
ssh-askpass-gnome_5.5p1-6+squeeze2_i386.deb
  to main/o/openssh/ssh-askpass-gnome_5.5p1-6+squeeze2_i386.deb
ssh-krb5_5.5p1-6+squeeze2_all.deb
  to main/o/openssh/ssh-krb5_5.5p1-6+squeeze2_all.deb
ssh_5.5p1-6+squeeze2_all.deb
  to main/o/openssh/ssh_5.5p1-6+squeeze2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 657445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 20 Feb 2012 02:23:55 +0000
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source all i386
Version: 1:5.5p1-6+squeeze2
Distribution: stable
Urgency: high
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 657445
Description: 
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Changes: 
 openssh (1:5.5p1-6+squeeze2) stable; urgency=high
 .
   * CVE-2012-0814: Don't send the actual forced command in a debug message,
     which allowed remote authenticated users to obtain potentially sensitive
     information by reading these messages (closes: #657445).
Checksums-Sha1: 
 89b5aedc4dfb5e2876df5fa40c3313b5b572d9ed 2557 openssh_5.5p1-6+squeeze2.dsc
 ceb108f0b33ff4e5c167fc0eb41c93ea22cfebbc 233367 openssh_5.5p1-6+squeeze2.debian.tar.gz
 3d094e8dcbdcaf571185bf15518818b27f205189 881778 openssh-client_5.5p1-6+squeeze2_i386.deb
 5319802d08acc7b0725f0816d267aa043bc446ea 298402 openssh-server_5.5p1-6+squeeze2_i386.deb
 dfb2c8660b4700e4fcac8df396273202d5397714 1250 ssh_5.5p1-6+squeeze2_all.deb
 ec6d537e0cc11e2d2bc76b81ca68d0254e2bd5fc 95606 ssh-krb5_5.5p1-6+squeeze2_all.deb
 6423d75f63c93835533f33a7947b6d4f58a8dba9 103596 ssh-askpass-gnome_5.5p1-6+squeeze2_i386.deb
 8395bf68345197de9daf9349ac9666e2454b7185 195664 openssh-client-udeb_5.5p1-6+squeeze2_i386.udeb
 46d371ac35ee44238b63fb29d67d47971f159cba 218428 openssh-server-udeb_5.5p1-6+squeeze2_i386.udeb
Checksums-Sha256: 
 94c2efd5a2ab76c3e65ba69230c818da546d4e448ab225e4af3e82c48e041e55 2557 openssh_5.5p1-6+squeeze2.dsc
 ecb30b1e40ac3446c3e3e6ffade5fe85656f084fcce3116184ad06101679bee0 233367 openssh_5.5p1-6+squeeze2.debian.tar.gz
 48b9c646f9369c4518719cd6d84cdfa4271fff981d9e0f37ce900d730f6f8eda 881778 openssh-client_5.5p1-6+squeeze2_i386.deb
 9f188d713a59ba4d6d6606ba3f864be5b2e0cdf43d3a4293c076068ca26f9d56 298402 openssh-server_5.5p1-6+squeeze2_i386.deb
 91fa5c92e0c525d9bf679a8a3c35d539bf2f7db38c8e12c65eda21af3b630de0 1250 ssh_5.5p1-6+squeeze2_all.deb
 2e81af056cb303462f52d715fc30c1d76ab7b476ae6df52716ad67672209b538 95606 ssh-krb5_5.5p1-6+squeeze2_all.deb
 75c8f15fd4e2d0055cf83fe60195e3bcbdb1680ea4e451e04bae161a31f48e44 103596 ssh-askpass-gnome_5.5p1-6+squeeze2_i386.deb
 7a3263a461dcd1d476479b351157b1bb86c1016da4e40261c200dcad07e80cb0 195664 openssh-client-udeb_5.5p1-6+squeeze2_i386.udeb
 28f77fbec04398525336d92d8d197f552b693c10e0da1568d104e7626e7ce785 218428 openssh-server-udeb_5.5p1-6+squeeze2_i386.udeb
Files: 
 ce639f805e5c7b07623bf4cc26f5782f 2557 net standard openssh_5.5p1-6+squeeze2.dsc
 c616a201b3e82a8eb3226eba13aa0016 233367 net standard openssh_5.5p1-6+squeeze2.debian.tar.gz
 d3eaaf434db099c4671d36c63ed55188 881778 net standard openssh-client_5.5p1-6+squeeze2_i386.deb
 53c5facf5e422739402d749ac81240ec 298402 net optional openssh-server_5.5p1-6+squeeze2_i386.deb
 5575f145bfab822a04cea7d9b0e6b093 1250 net extra ssh_5.5p1-6+squeeze2_all.deb
 37a3ffe077000eca4028719402e31320 95606 net extra ssh-krb5_5.5p1-6+squeeze2_all.deb
 40998f5446f65301e5cf1a2e4e8b5bcd 103596 gnome optional ssh-askpass-gnome_5.5p1-6+squeeze2_i386.deb
 85a30bd06c6070ed5f434dc435348212 195664 debian-installer optional openssh-client-udeb_5.5p1-6+squeeze2_i386.udeb
 0051884bd9de85c5e276b72073ba6c67 218428 debian-installer optional openssh-server-udeb_5.5p1-6+squeeze2_i386.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBT0NYODk1h9l9hlALAQiRqg/9HJ0ydtlAOSeOm3CrwgxTi7jPt0+6cAbF
fQpM/81V3WcMpIpg7jrBtkuduyqfB3tctYcdIBv0v5GhHeD8GGKDHi/k35/UmyI4
EKedk8XpR/+8G8564uwLOzBIPo+jc/a+PCXu1D4OuaUc4VwNZglYL5N2+MFZA4jv
Xex/OvjJS40nckAgjdDNeszUTUw8d/dD+av7iWz65cbBPflUcIATZ3PyDtVomkEZ
QcHPlNYG+Eu3VJhUwgI+S7LxWQZSfZNTvwUgj3JwJX4qMoRtSpVV8RHhcSiMvsA3
AeG1kZUDPYg0fnpTKTajmY95YQQnwfQRwxXmz0d7Wep6nF/2kF3Khzo3Z1XckGlC
oi9mAPIWtgLiEWVYurM7TiNz/1Hqc5Rsk3v4xE56d9jBZQ9axWfGSp8nPjssWdea
7vGmaDVBJWSiiwVN+HcPzfwZ6xtaNvDWWlcXyqD+ttuwzlXy3AypZfNgsbr7LGA2
C/l+xZx70WOYOZxjuXfg+fczmQr8uO29CDmg8cEUtnrlfll1C25YwohhppWebjcp
oYz+gZOvQ9v1Crnl843vC54BDbqQKR/HBKOpnGOne9uR/HcRLH4B+7z6Ujs2ybIJ
WlXtjUD9lejwMlHg1TBiU5M5Af+WhA9HdRXQ9GWEf3BKdLOrqSr6XJVfHY6NVBcu
PdXHBKFK8n4=
=xDPA
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 21 Mar 2012 07:35:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 01:24:44 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.