Site Navigation

Date:      Thu, 17 Apr 2008 13:27:41 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Ian Smith <smithi@nimnet.asn.au>
Cc:        freebsd-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh
Message-ID:  <4807423D.1090206@infracaninophile.co.uk>
In-Reply-To: <Pine.BSF.3.96.1080417212950.23910C-100000@gaia.nimnet.asn.au>
References:  <Pine.BSF.3.96.1080417212950.23910C-100000@gaia.nimnet.asn.au>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Ian Smith wrote:
> On Thu, 17 Apr 2008, Peter Pentchev wrote:
>  > On Thu, Apr 17, 2008 at 04:07:56PM +1000, Ian Smith wrote:
>  > > On Thu, 17 Apr 2008, FreeBSD Security Advisories wrote:
>  > > 
>  > >  > IV.  Workaround
>  > >  > 
>  > >  > Disable support for IPv6 in the sshd(8) daemon by setting the option
>  > >  > "AddressFamily inet" in /etc/ssh/sshd_config.
>  > >  > 
>  > >  > Disable support for X11 forwarding in the sshd(8) daemon by setting
>  > >  > the option "X11Forwarding no" in /etc/ssh/sshd_config.
>  > > 
>  > > It's not quite clear from this whether both workarounds are required, or
>  > > just either one, until upgrading?
>  > 
>  > Either one, depending on what you want - if your users *need* and use
>  > X11 forwarding, then you wouldn't want to use "X11Forwarding no" :)
>  >
>  > Basically:
>  > - if you DO NOT use X11 forwarding, just disable it with "X11Forwarding no"
>  > - if you use X11 forwarding *and* you DO NOT use IPv6, use the
>  >   "AddressFamily inet" line
>  > - if you use X11 forwarding *and* you use IPv6, then you must upgrade.
> 
> Thanks for the confirmation Peter, also Jille and mouss.

Hmmm... something that wasn't immediately clear to me reading the advisory:
the requirement for an attacker to listen(2) on tcp port 6010 means that they
have to have a login on the box being attacked.  ie. it's a *local* information
leak rather than a network attack.  It took me some time and a few gentle
thwaps with the clue stick by colleagues better versed in the sockets API than
me before I understood that.

	Cheers,

	Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.                       Flat 3
                                                      7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW, UK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREDAAYFAkgHQj0ACgkQ3jDkPpsZ+VYShwCZAR5SfHeq64lznU54XpqQq190
/GAAnirda/Nn0LUrZV9qGTEZ/4uq6oYB
=nquC
-----END PGP SIGNATURE-----

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4807423D.1090206>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact