-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Ian Smith wrote:
> On Thu, 17 Apr 2008, Peter Pentchev wrote:
> > On Thu, Apr 17, 2008 at 04:07:56PM +1000, Ian Smith wrote:
> > > On Thu, 17 Apr 2008, FreeBSD Security Advisories wrote:
> > >
> > > > IV. Workaround
> > > >
> > > > Disable support for IPv6 in the sshd(8) daemon by setting the option
> > > > "AddressFamily inet" in /etc/ssh/sshd_config.
> > > >
> > > > Disable support for X11 forwarding in the sshd(8) daemon by setting
> > > > the option "X11Forwarding no" in /etc/ssh/sshd_config.
> > >
> > > It's not quite clear from this whether both workarounds are required, or
> > > just either one, until upgrading?
> >
> > Either one, depending on what you want - if your users *need* and use
> > X11 forwarding, then you wouldn't want to use "X11Forwarding no" :)
> >
> > Basically:
> > - if you DO NOT use X11 forwarding, just disable it with "X11Forwarding no"
> > - if you use X11 forwarding *and* you DO NOT use IPv6, use the
> > "AddressFamily inet" line
> > - if you use X11 forwarding *and* you use IPv6, then you must upgrade.
>
> Thanks for the confirmation Peter, also Jille and mouss.
Hmmm... something that wasn't immediately clear to me reading the advisory:
the requirement for an attacker to listen(2) on tcp port 6010 means that they
have to have a login on the box being attacked. ie. it's a *local* information
leak rather than a network attack. It took me some time and a few gentle
thwaps with the clue stick by colleagues better versed in the sockets API than
me before I understood that.
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. Flat 3
7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW, UK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREDAAYFAkgHQj0ACgkQ3jDkPpsZ+VYShwCZAR5SfHeq64lznU54XpqQq190
/GAAnirda/Nn0LUrZV9qGTEZ/4uq6oYB
=nquC
-----END PGP SIGNATURE-----