-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Ian Smith wrote: > On Thu, 17 Apr 2008, Peter Pentchev wrote: > > On Thu, Apr 17, 2008 at 04:07:56PM +1000, Ian Smith wrote: > > > On Thu, 17 Apr 2008, FreeBSD Security Advisories wrote: > > > > > > > IV. Workaround > > > > > > > > Disable support for IPv6 in the sshd(8) daemon by setting the option > > > > "AddressFamily inet" in /etc/ssh/sshd_config. > > > > > > > > Disable support for X11 forwarding in the sshd(8) daemon by setting > > > > the option "X11Forwarding no" in /etc/ssh/sshd_config. > > > > > > It's not quite clear from this whether both workarounds are required, or > > > just either one, until upgrading? > > > > Either one, depending on what you want - if your users *need* and use > > X11 forwarding, then you wouldn't want to use "X11Forwarding no" :) > > > > Basically: > > - if you DO NOT use X11 forwarding, just disable it with "X11Forwarding no" > > - if you use X11 forwarding *and* you DO NOT use IPv6, use the > > "AddressFamily inet" line > > - if you use X11 forwarding *and* you use IPv6, then you must upgrade. > > Thanks for the confirmation Peter, also Jille and mouss.
Hmmm... something that wasn't immediately clear to me reading the advisory: the requirement for an attacker to listen(2) on tcp port 6010 means that they have to have a login on the box being attacked. ie. it's a *local* information leak rather than a network attack. It took me some time and a few gentle thwaps with the clue stick by colleagues better versed in the sockets API than me before I understood that. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREDAAYFAkgHQj0ACgkQ3jDkPpsZ+VYShwCZAR5SfHeq64lznU54XpqQq190 /GAAnirda/Nn0LUrZV9qGTEZ/4uq6oYB =nquC -----END PGP SIGNATURE----- _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"