Hi, On Fri, Jan 15, 2016 at 02:55:43PM +0100, Moritz Muehlenhoff wrote: > On Fri, Jan 15, 2016 at 02:50:33PM +0100, Yves-Alexis Perez wrote: > > On ven., 2016-01-15 at 14:47 +0100, Guido Günther wrote: > > > > I believe Yves-Alexis Perez is handing this. > > > > > > I figured Mike's mail is related to > > > > > > TEMP-0000000 Eliminate the fallback from untrusted X11-forwarding to > > > trusted forwarding for cases when the X server disables the SECURITY > > > extension > > > > > > not to CVE-2016-0777 CVE-2016-0778? > > > > We've not yet investigated the other, CVE-less vulnerabilities fixed by the > > last OpenSSH release (whether for the current stables or for LTS). > > I don't see how "TEMP-0000000 Eliminate the fallback from untrusted > X11-forwarding to > trusted forwarding for cases when the X server disables the SECURITY > extension" has additional security implications not covered by CVE-2015-5352?
I'm the one having added the temporary entry, but needs more checking. CVE-2015-5352 was addressed by https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d The new temporary entry is related to https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c Hope this helps for the further checking. If it turns out to be not an issue we can drop the entry again. Regards, Salvatore
