Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh

From: Matthew Seaman <m.seaman@xxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Apr 2008 13:27:41 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Ian Smith wrote:

On Thu, 17 Apr 2008, Peter Pentchev wrote:
> On Thu, Apr 17, 2008 at 04:07:56PM +1000, Ian Smith wrote:
> > On Thu, 17 Apr 2008, FreeBSD Security Advisories wrote:
> >
> > > IV. Workaround
> > >
> > > Disable support for IPv6 in the sshd(8) daemon by setting the option
> > > "AddressFamily inet" in /etc/ssh/sshd_config.
> > >
> > > Disable support for X11 forwarding in the sshd(8) daemon by setting
> > > the option "X11Forwarding no" in /etc/ssh/sshd_config.
> >
> > It's not quite clear from this whether both workarounds are required, or
> > just either one, until upgrading?
>
> Either one, depending on what you want - if your users *need* and use
> X11 forwarding, then you wouldn't want to use "X11Forwarding no" :)
>
> Basically:
> - if you DO NOT use X11 forwarding, just disable it with "X11Forwarding no"
> - if you use X11 forwarding *and* you DO NOT use IPv6, use the
> "AddressFamily inet" line
> - if you use X11 forwarding *and* you use IPv6, then you must upgrade.

Thanks for the confirmation Peter, also Jille and mouss.

Hmmm... something that wasn't immediately clear to me reading the advisory:
the requirement for an attacker to listen(2) on tcp port 6010 means that they
have to have a login on the box being attacked. ie. it's a *local* information
leak rather than a network attack. It took me some time and a few gentle
thwaps with the clue stick by colleagues better versed in the sockets API than
me before I understood that.

Cheers,

Matthew

- --
Dr Matthew J Seaman MA, D.Phil. Flat 3
7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW, UK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREDAAYFAkgHQj0ACgkQ3jDkPpsZ+VYShwCZAR5SfHeq64lznU54XpqQq190
/GAAnirda/Nn0LUrZV9qGTEZ/4uq6oYB
=nquC
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh
  - From: Dag-Erling Smørgrav

References:
- Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh
  - From: Ian Smith

Prev by Date: Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh
Next by Date: openssldoesn't -overwrite-base again (was: FreeBSD-SA-08:05.openssh)
Previous by thread: Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh
Next by thread: Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh
Index(es):
- Date
- Thread

Relevant Pages

Re: Firefox 2 & Backspace
... Marius Gedminas wrote: ... and allready is: ... I've mentioned the workaround there as well. ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ...
(Ubuntu)
Re: [opensuse] DCOP error
... Will Stephenson wrote: ... You're seeing bug #177480. ... I checked and saw the bug but did not see a workaround. ... Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org ...
(SuSE)
Re: [opensuse] DCOP error
... Will Stephenson wrote: ... You're seeing bug #177480. ... i went to the link provided and do not see the workaround. ... Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org ...
(SuSE)