For Jammy, please consider rebasing on top of
https://code.launchpad.net/~slyon/ubuntu/+source/openssh/+git/openssh/+merge/478457
So we can bundle this and the other (GSSAPI) SRU into a single upload.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscri
please rebase for focal/jammy on current -security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2077576
Title:
SSH client doesn't handle properly non-ASCII chars
To manage notifications about this
Also it doesn't matter if these characters are part of all the character
sets if they're passed through to the client terminal in the wrong
ENCODING. non ASCII characters almost entirely do not have the same
binary representation in UTF-8 as in other character sets, including
these.
--
You receiv
Ok that's correct, at the time of review Tobias was a member of the
security team so I think we can take that as the necessary sign-off.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2077576
Title:
> Please add a verification that your final purpose actually works to
the Test Plan
Ok, I've added details how to test using Authd, linking to its
documentation for all the setup details
> OK, but there are cases where we recommend doing that, such as for
HOTP/TOTP configuration: https://ubuntu.c
Leaving my draft here both so you can read it and so I don't lose it:
> Indeed, the reason for this is that in authd we are presenting a
qrcode to perform weblogin and that doesn't work.
This seems a reasonable justification for an SRU in principle then, now
that it's documented. Thank you for th
Mh, yeah looks like the terminal filtering is something we should do in
openssh anyways, at various levels though.
Fact is that if a server is malicious, nothing prevents to do the same
through a simpler sshd banner or command, that is still able to act on
remote terminal.
It's true that PAM modu
This change makes me uneasy:
- I see no terminal-aware filtering applied in the notify_start() ->
xvasprintf() -> writemsg() -> write() path. The remote server may not be
entirely untrusted but it's also not exactly trusted, either, especially
on the first use. There's a long and glorious history
** Description changed:
[ Impact ]
- Non-ascii visible chars are not properly rendered by clients, showing
- their octal visualization.
+ Non-ascii visible chars (including back-slashes, new lines and so) are
+ not properly rendered by clients, showing their octal visualization.
Such as:
> This seems like quite an invasive change. It has not yet been accepted
upstream.
Nope, but reviewed and approved by at least one upstream developer both
upstream and downstream (Tobias), while we're using it in noble for few
months already with no issue reported so far.
> It touches PAM, and it
This seems like quite an invasive change. It has not yet been accepted
upstream. It touches PAM, and it looks to me like it might affect
behaviour before authentication is complete. It affects escaping.
Injection of malicious data into a stream to be parsed by the terminal
has security implications
** Changed in: openssh (Ubuntu Focal)
Status: In Progress => Fix Committed
** Changed in: openssh (Ubuntu Jammy)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad
** Description changed:
[ Impact ]
Non-ascii visible chars are not properly rendered by clients, showing
their octal visualization.
Such as:
Hello SSHD! We love \360\237\215\225!
[ Test case ]
## Server preparation
Enable PAM and keyboard interactive authenticatio
** Merge proposal linked:
https://code.launchpad.net/~3v1n0/ubuntu/+source/openssh/+git/openssh/+merge/471763
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2077576
Title:
SSH client doesn't hand
** Merge proposal linked:
https://code.launchpad.net/~3v1n0/ubuntu/+source/openssh/+git/openssh/+merge/471761
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2077576
Title:
SSH client doesn't hand
15 matches
Mail list logo
