From owner-freebsd-security@FreeBSD.ORG Mon Apr 7 15:18:36 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37AA4106566C; Mon, 7 Apr 2008 15:18:36 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 9F7518FC24; Mon, 7 Apr 2008 15:18:35 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:MIME-Version:Content-Type:Content-Disposition:Sender:X-Spam-Status:Subject; b=mil93Zx8tUNinzPO7Cig9wg9y1hh5wotctNsic/oILaq951KkwULSlCPawW8rYMYDjoJyfY3eKyvmcrNAkjbxGJ/3IGujP0fD0tC9G4QiPE3FY6erd+saK9OQJoHsixNYyGxxXU5O4HpnKcY6RQz8fNKluOCNjOBQn0mQiNOTGU=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1Jit7C-000Kvb-IG; Mon, 07 Apr 2008 19:18:34 +0400 Date: Mon, 7 Apr 2008 19:18:33 +0400 From: Eygene Ryabinkin To: secteam@FreeBSD.org Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-1.8 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_40 Cc: freebsd-security@freebsd.org, security-officer@FreeBSD.org, des@freebsd.org Subject: CVE-2008-1483: OpenSSH X11 connection hijacking X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2008 15:18:36 -0000 Good day. I just read the security alert from the Globus Alliance and want to pass this information to the FreeBSD security people. Apologies if the issue is already known and is worked on. Since the information was already disclosed into the public, I am CC'ing to the freebsd-security mailing list. The following sources show that OpenBSD <= 4.9 are affected by the local X11 connection hijacking: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1483 http://www.openssh.org/txt/release-5.0 The following patch is said to cure the problem: http://cvs.fedora.redhat.com/viewcvs/rpms/openssh/devel/openssh-3.9p1-skip-used.patch?rev=1.1&view=markup Adding 'AddressFamily inet' or using IPv6-disabled system configuration shoud eliminate the issue. But the default configuration of SSH and/or FreeBSD kernel uses AddressFamily of 'any' and has IPv6 enabled in the GENERIC kernel, so it can be affected. Unable to test it by myself, since all FreeBSD systems I have at hand are running IPv4 only. -- Eygene