From owner-freebsd-stable@freebsd.org Fri Feb 26 20:59:41 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B0731AB4D19 for ; Fri, 26 Feb 2016 20:59:41 +0000 (UTC) (envelope-from amesbury@oitsec.umn.edu) Received: from mail.oitsec.umn.edu (mail.oitsec.umn.edu [128.101.238.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.oitsec.umn.edu", Issuer "InCommon RSA Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8F0491479 for ; Fri, 26 Feb 2016 20:59:41 +0000 (UTC) (envelope-from amesbury@oitsec.umn.edu) Received: from mail.oitsec.umn.edu (localhost [127.0.0.1]) by mail.oitsec.umn.edu (Postfix) with ESMTP id 8FE495C813 for ; Fri, 26 Feb 2016 14:59:30 -0600 (CST) X-Virus-Scanned: amavisd-new at oitsec.umn.edu Received: from mail.oitsec.umn.edu ([127.0.0.1]) by mail.oitsec.umn.edu (mail.oitsec.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9ps-CGDHSD0 for ; Fri, 26 Feb 2016 14:59:29 -0600 (CST) Received: from optimator.oitsec.umn.edu (optimator.oitsec.umn.edu [134.84.23.1]) (Authenticated sender: amesbury) by mail.oitsec.umn.edu (Postfix) with ESMTPSA id 229B45C80A for ; Fri, 26 Feb 2016 14:59:29 -0600 (CST) From: Alan Amesbury Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: SSH patch for X SECURITY bug (CVE-2015-5352)? Message-Id: Date: Fri, 26 Feb 2016 14:59:30 -0600 To: freebsd-stable@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) X-Mailer: Apple Mail (2.3112) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2016 20:59:41 -0000 A while back someone discovered a bug prior to OpenSSH v6.9 relating to = use of the "-X" option (X11 forwarding) option for the SSH client. The = CVE entry contains links to a couple other sites: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-5352 The OpenSSH v6.9 release notes (http://www.openssh.com/txt/release-6.9) = mention this as a security bugfix, but don't indicate if the problem = existed in versions earlier than v6.8; FreeBSD 9.3-RELEASE, = 10.1-RELEASE, and 10.2-RELEASE appear to have v6.6.1 (although linked = against different versions of OpenSSL). I've searched FreeBSD's = security advisories, but see no mention of this bug at all (certainly = not in the most recent OpenSSH advisories). Top search hits in Google = for this CVE show a couple Linux distros (RedHat and Ubuntu) mention it. = For what it's worth, RedHat's declining to fix it in RHEL 5, deferring = the fix in RHEL 6, and says RHEL 7 is not affected. Ubuntu's support = mentions it but describes no plans to fix it. Are any of you aware of a patch for this that's been committed = unannounced? It strikes me as a somewhat esoteric bug, but I promised = someone I'd ask around about it. If no patch is committed, is the plan = to just defer this one until later? --=20 Alan Amesbury University Information Security http://umn.edu/lookup/amesbury