From owner-freebsd-security@FreeBSD.ORG Thu Apr 17 12:27:56 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E81821065671 for ; Thu, 17 Apr 2008 12:27:56 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 5AA948FC3F for ; Thu, 17 Apr 2008 12:27:56 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from lack-of-gravitas.thebunker.net (gateway.ash.thebunker.net [213.129.64.4]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id m3HCRgUm013816 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 17 Apr 2008 13:27:47 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.5.2 smtp.infracaninophile.co.uk m3HCRgUm013816 Message-ID: <4807423D.1090206@infracaninophile.co.uk> Date: Thu, 17 Apr 2008 13:27:41 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.12 (X11/20080410) MIME-Version: 1.0 To: Ian Smith References: In-Reply-To: X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (smtp.infracaninophile.co.uk [81.187.76.162]); Thu, 17 Apr 2008 13:27:48 +0100 (BST) X-Virus-Scanned: ClamAV 0.92.1/6810/Thu Apr 17 12:25:25 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,SPF_FAIL autolearn=no version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:05.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2008 12:27:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Ian Smith wrote: > On Thu, 17 Apr 2008, Peter Pentchev wrote: > > On Thu, Apr 17, 2008 at 04:07:56PM +1000, Ian Smith wrote: > > > On Thu, 17 Apr 2008, FreeBSD Security Advisories wrote: > > > > > > > IV. Workaround > > > > > > > > Disable support for IPv6 in the sshd(8) daemon by setting the option > > > > "AddressFamily inet" in /etc/ssh/sshd_config. > > > > > > > > Disable support for X11 forwarding in the sshd(8) daemon by setting > > > > the option "X11Forwarding no" in /etc/ssh/sshd_config. > > > > > > It's not quite clear from this whether both workarounds are required, or > > > just either one, until upgrading? > > > > Either one, depending on what you want - if your users *need* and use > > X11 forwarding, then you wouldn't want to use "X11Forwarding no" :) > > > > Basically: > > - if you DO NOT use X11 forwarding, just disable it with "X11Forwarding no" > > - if you use X11 forwarding *and* you DO NOT use IPv6, use the > > "AddressFamily inet" line > > - if you use X11 forwarding *and* you use IPv6, then you must upgrade. > > Thanks for the confirmation Peter, also Jille and mouss. Hmmm... something that wasn't immediately clear to me reading the advisory: the requirement for an attacker to listen(2) on tcp port 6010 means that they have to have a login on the box being attacked. ie. it's a *local* information leak rather than a network attack. It took me some time and a few gentle thwaps with the clue stick by colleagues better versed in the sockets API than me before I understood that. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREDAAYFAkgHQj0ACgkQ3jDkPpsZ+VYShwCZAR5SfHeq64lznU54XpqQq190 /GAAnirda/Nn0LUrZV9qGTEZ/4uq6oYB =nquC -----END PGP SIGNATURE-----