From owner-freebsd-security@FreeBSD.ORG  Thu Apr 17 08:59:00 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 92F50106566B
	for <freebsd-security@freebsd.org>;
	Thu, 17 Apr 2008 08:59:00 +0000 (UTC)
	(envelope-from mouss@netoyen.net)
Received: from imlil.netoyen.net (imlil.netoyen.net [91.121.103.130])
	by mx1.freebsd.org (Postfix) with ESMTP id 53DDF8FC1D
	for <freebsd-security@freebsd.org>;
	Thu, 17 Apr 2008 08:59:00 +0000 (UTC)
	(envelope-from mouss@netoyen.net)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=netoyen.net; h=message-id:
	date:from:mime-version:to:cc:subject:references:in-reply-to:
	content-type:content-transfer-encoding; q=dns/txt; s=msa; bh=LEr
	Pug6YC/9cyCxm4UeAQ+BBFT8=; b=bcJwQmtvaBb1dltKgeuVTjQ9I54je/J78lP
	EA0zw90ANDA3OV7iAzwwU9I1ZTIGYleLBLLV0qXxWgjYxd5Y2g7b+7OnT3y+MUcs
	DaTjQDiYst55NcIXvMqG6KrtoiScX448A7tdGrpiNR0V36nB+qEYvxs2gmuGM5Vs
	q2JxCToY=
X-Virus-Scanned: amavisd-new at netoyen.net
Received: from [192.168.1.65] (ouzoud.netoyen.net [82.239.111.75])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: mouss@netoyen.net)
	by imlil.netoyen.net (Postfix) with ESMTPSA id 2A9433ACD891;
	Thu, 17 Apr 2008 10:39:39 +0200 (CEST)
Message-ID: <48070CB0.3050303@netoyen.net>
Date: Thu, 17 Apr 2008 10:39:12 +0200
From: mouss <mouss@netoyen.net>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: Ian Smith <smithi@nimnet.asn.au>
References: <Pine.BSF.3.96.1080417155723.23910B-100000@gaia.nimnet.asn.au>
In-Reply-To: <Pine.BSF.3.96.1080417155723.23910B-100000@gaia.nimnet.asn.au>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Apr 2008 08:59:00 -0000

Ian Smith wrote:
> On Thu, 17 Apr 2008, FreeBSD Security Advisories wrote:
>
>  > IV.  Workaround
>  > 
>  > Disable support for IPv6 in the sshd(8) daemon by setting the option
>  > "AddressFamily inet" in /etc/ssh/sshd_config.
>  > 
>  > Disable support for X11 forwarding in the sshd(8) daemon by setting
>  > the option "X11Forwarding no" in /etc/ssh/sshd_config.
>
> It's not quite clear from this whether both workarounds are required, or
> just either one, until upgrading?
>   


my understanding is that either workaround will prevent the problem, 
since the problem relies on x11 forwarding and ipv6 being both enabled.