On Wed, Feb 08, 2012 at 06:44:26PM +0100, Moritz Muehlenhoff wrote: > On Thu, Jan 26, 2012 at 07:50:24PM -0500, Marc Deslauriers wrote: > > Looks like this: > > > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54 > > Colin, can you fix this for the 6.0.5 point release?
Yes - sorry for the delay, real life intervened fairly heavily. Do the signed packages at master:~cjwatson/openssh/ meet your requirements? A debdiff follows. diff -Nru openssh-5.5p1/debian/changelog openssh-5.5p1/debian/changelog --- openssh-5.5p1/debian/changelog 2011-07-28 17:44:13.000000000 +0100 +++ openssh-5.5p1/debian/changelog 2012-02-20 02:26:35.000000000 +0000 @@ -1,3 +1,11 @@ +openssh (1:5.5p1-6+squeeze2) stable-security; urgency=high + + * CVE-2012-0814: Don't send the actual forced command in a debug message, + which allowed remote authenticated users to obtain potentially sensitive + information by reading these messages (closes: #657445). + + -- Colin Watson <cjwat...@debian.org> Mon, 20 Feb 2012 02:23:55 +0000 + openssh (1:5.5p1-6+squeeze1) stable; urgency=low * Quieten logs when multiple from= restrictions are used in different diff -Nru openssh-5.5p1/debian/patches/forced-command-debug-security.patch openssh-5.5p1/debian/patches/forced-command-debug-security.patch --- openssh-5.5p1/debian/patches/forced-command-debug-security.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssh-5.5p1/debian/patches/forced-command-debug-security.patch 2012-02-20 02:18:45.000000000 +0000 @@ -0,0 +1,19 @@ +Description: Don't send the actual forced command in a debug message +Origin: upstream, http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445 +Forwarded: not-needed +Last-Update: 2012-02-20 + +Index: b/auth-options.c +=================================================================== +--- a/auth-options.c ++++ b/auth-options.c +@@ -174,7 +174,7 @@ + goto bad_option; + } + forced_command[i] = '\0'; +- auth_debug_add("Forced command: %.900s", forced_command); ++ auth_debug_add("Forced command."); + opts++; + goto next_option; + } diff -Nru openssh-5.5p1/debian/patches/series openssh-5.5p1/debian/patches/series --- openssh-5.5p1/debian/patches/series 2011-07-28 17:22:59.000000000 +0100 +++ openssh-5.5p1/debian/patches/series 2012-02-20 02:22:06.000000000 +0000 @@ -27,6 +27,9 @@ dnssec-sshfp.patch auth-log-verbosity.patch +# Security fixes +forced-command-debug-security.patch + # Versioning package-versioning.patch debian-banner.patch -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
