Hi Colin, On Wed, Apr 23, 2025 at 12:38:41PM +0100, Colin Watson wrote: > On Tue, Apr 15, 2025 at 09:38:21PM +0200, Salvatore Bonaccorso wrote: > > On Tue, Apr 15, 2025 at 02:36:09PM +0100, Colin Watson wrote: > > > On Thu, Apr 10, 2025 at 10:20:44PM +0200, Salvatore Bonaccorso wrote: > > > > The following vulnerability was published for openssh. > > > > > > > > CVE-2025-32728[0]: > > > > | In sshd in OpenSSH before 10.0, the DisableForwarding directive does > > > > | not adhere to the documentation stating that it disables X11 and > > > > | agent forwarding. > > > > > > I'd like to upload the attached changes to bookworm-security, as well as > > > to > > > bullseye-security for LTS (after the usual changelog finalization). Do > > > these debdiffs look good to you? There's a bit of noise due to git > > > deciding > > > to serialize some patches slightly differently, but the added patch is the > > > only effective change in both cases. > > > > We initially marked it as no-dsa for bookworm and so the fix could go > > to the next point release. But given you are suggesting a DSA, maybe > > we might have missed something important here? Can you elaborate where > > we might have overseen something makeing it warrant a DSA? > > > > What I do understand is that the sshd side envforcing is so not doing > > as documented, and AllowAgentForwarding is by default on yes, where > > X11Forwarding is changed to default to yes in Debian. > > So we have in any case a slight difference here in Debian vs. > > upstream. ForwardAgent client side is disabled by default. > > > > And this has been broken for afaiu so many years that batching the > > update in the next point release seemed initially sufficient? > > No, that's fine, I hadn't noticed that you'd marked it as no-dsa. I'll file > a stable update bug for it.
Thank you! Regards, Salvatore
