On Fri, Jan 15, 2016 at 02:50:33PM +0100, Yves-Alexis Perez wrote: > On ven., 2016-01-15 at 14:47 +0100, Guido Günther wrote: > > > I believe Yves-Alexis Perez is handing this. > > > > I figured Mike's mail is related to > > > > TEMP-0000000 Eliminate the fallback from untrusted X11-forwarding to > > trusted forwarding for cases when the X server disables the SECURITY > > extension > > > > not to CVE-2016-0777 CVE-2016-0778? > > We've not yet investigated the other, CVE-less vulnerabilities fixed by the > last OpenSSH release (whether for the current stables or for LTS).
OpenSSH upstream decided not to fix the untrusted->trusted forwarding issue in 7.1p2 (https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html). I would recommend holding off on that until they've actually blessed a fix for real. https://security-tracker.debian.org/tracker/source-package/openssh is mistaken in claiming that this is fixed in sid. It's not. -- Colin Watson [cjwat...@debian.org]
