From owner-freebsd-security@FreeBSD.ORG  Thu Apr 17 11:39:46 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F1640106566C
	for <freebsd-security@freebsd.org>;
	Thu, 17 Apr 2008 11:39:46 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143])
	by mx1.freebsd.org (Postfix) with ESMTP id 9B15D8FC18
	for <freebsd-security@freebsd.org>;
	Thu, 17 Apr 2008 11:39:44 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from localhost (smithi@localhost)
	by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id VAA07369;
	Thu, 17 Apr 2008 21:39:37 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Thu, 17 Apr 2008 21:39:36 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Peter Pentchev <roam@ringlet.net>
In-Reply-To: <20080417084544.GA2461@straylight.m.ringlet.net>
Message-ID: <Pine.BSF.3.96.1080417212950.23910C-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Apr 2008 11:39:47 -0000

On Thu, 17 Apr 2008, Peter Pentchev wrote:
 > On Thu, Apr 17, 2008 at 04:07:56PM +1000, Ian Smith wrote:
 > > On Thu, 17 Apr 2008, FreeBSD Security Advisories wrote:
 > > 
 > >  > IV.  Workaround
 > >  > 
 > >  > Disable support for IPv6 in the sshd(8) daemon by setting the option
 > >  > "AddressFamily inet" in /etc/ssh/sshd_config.
 > >  > 
 > >  > Disable support for X11 forwarding in the sshd(8) daemon by setting
 > >  > the option "X11Forwarding no" in /etc/ssh/sshd_config.
 > > 
 > > It's not quite clear from this whether both workarounds are required, or
 > > just either one, until upgrading?
 > 
 > Either one, depending on what you want - if your users *need* and use
 > X11 forwarding, then you wouldn't want to use "X11Forwarding no" :)
 >
 > Basically:
 > - if you DO NOT use X11 forwarding, just disable it with "X11Forwarding no"
 > - if you use X11 forwarding *and* you DO NOT use IPv6, use the
 >   "AddressFamily inet" line
 > - if you use X11 forwarding *and* you use IPv6, then you must upgrade.

Thanks for the confirmation Peter, also Jille and mouss.

cheers, Ian