[CVE-2007-4752] ssh in OpenSSH before 4.7 does not properly handle...

Fixed in Hardy now; stable updates still remain (Kees acknowledged this bug on IRC).

openssh (1:4.7p1-1) unstable; urgency=low

  * New upstream release (closes: #453367).
    - CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if
      creation of an untrusted cookie fails; found and fixed by Jan Pechanec
      (closes: #444738).
    - sshd(8) in new installations defaults to SSH Protocol 2 only. Existing
      installations are unchanged.
    - The SSH channel window size has been increased, and both ssh(1)
      sshd(8) now send window updates more aggressively. These improves
      performance on high-BDP (Bandwidth Delay Product) networks.
    - ssh(1) and sshd(8) now preserve MAC contexts between packets, which
      saves 2 hash calls per packet and results in 12-16% speedup for
      arcfour256/hmac-md5.
    - A new MAC algorithm has been added, UMAC-64 (RFC4418) as
      "<email address hidden>". UMAC-64 has been measured to be approximately
      20% faster than HMAC-MD5.
    - Failure to establish a ssh(1) TunnelForward is now treated as a fatal
      error when the ExitOnForwardFailure option is set.
    - ssh(1) returns a sensible exit status if the control master goes away
      without passing the full exit status.
    - When using a ProxyCommand in ssh(1), set the outgoing hostname with
      gethostname(2), allowing hostbased authentication to work.
    - Make scp(1) skip FIFOs rather than hanging (closes: #246774).
    - Encode non-printing characters in scp(1) filenames. These could cause
      copies to be aborted with a "protocol error".
    - Handle SIGINT in sshd(8) privilege separation child process to ensure
      that wtmp and lastlog records are correctly updated.
    - Report GSSAPI mechanism in errors, for libraries that support multiple
      mechanisms.
    - Improve documentation for ssh-add(1)'s -d option.
    - Rearrange and tidy GSSAPI code, removing server-only code being linked
      into the client.
    - Delay execution of ssh(1)'s LocalCommand until after all forwardings
      have been established.
    - In scp(1), do not truncate non-regular files.
    - Improve exit message from ControlMaster clients.
    - Prevent sftp-server(8) from reading until it runs out of buffer space,
      whereupon it would exit with a fatal error (closes: #365541).
    - pam_end() was not being called if authentication failed
      (closes: #405041).
    - Manual page datestamps updated (closes: #433181).
  * Install the OpenSSH FAQ in /usr/share/doc/openssh-client.
    - Includes documentation on copying files with colons using scp
      (closes: #303453).
  * Create /var/run/sshd on start even if /etc/ssh/sshd_not_to_be_run exists
    (closes: #453285).
  * Fix "overriden" typo in ssh(1) (thanks, A. Costa; closes: #390699).
  * Refactor debian/rules configure and make invocations to make development
    easier.
  * Remove the hideously old /etc/ssh/primes on upgrade (closes: #123013).
  * Update moduli(5) to revision 1.11 from OpenBSD CVS.
  * Document the non-default options we set as standard in ssh_config(5) and
    sshd_config(5) (closes: #327886, #345...

The attached patches don't seem to match the upstream changes. I've rearranged things a bit to remove the duplicated xauth listing code, and will have this published shortly. Thanks!

This bug was fixed in the package openssh - 1:4.6p1-5ubuntu0.1

---------------
openssh (1:4.6p1-5ubuntu0.1) gutsy-security; urgency=low

  * SECURITY UPDATE: trusted cookie leak when untrusted cookie cannot be
    generated.
  * debian/control: Updated Maintainer Field to follow Ubuntu Maintainer Policy
  * clientloop.c: Applied patch according to openssh upstream (LP: #162171),
    thanks to Stephan Hermann.
  * References:
    CVE-2007-4752
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444738
    http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?r1=1.180&r2=1.181

 -- Kees Cook <email address hidden> Wed, 09 Jan 2008 12:37:26 -0800

This bug was fixed in the package openssh - 1:4.3p2-8ubuntu1.1

---------------
openssh (1:4.3p2-8ubuntu1.1) feisty-security; urgency=low

  * SECURITY UPDATE: trusted cookie leak when untrusted cookie cannot be
    generated.
  * clientloop.c: Applied patch according to openssh upstream (LP: #162171),
    thanks to Stephan Hermann.
  * References:
    CVE-2007-4752
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444738
    http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?r1=1.180&r2=1.181

 -- Kees Cook <email address hidden> Wed, 09 Jan 2008 12:39:28 -0800

Published in: http://www.ubuntu.com/usn/usn-566-1