[openssh] [CVE-2008-1657] possibility to bypass global "ForceCommand" directive

Already fixed in Hardy/Intrepid and backported to earlier releases. Please look at the changelog as well as just the version number!

openssh (1:4.7p1-8) unstable; urgency=high

  * Fill in CVE identifier for security vulnerability fixed in 1:4.7p1-5.
  * Rename KeepAlive to TCPKeepAlive in sshd_config, cleaning up from old
    configurations (LP: #211400).
  * Tweak scp's reporting of filenames in verbose mode to be a bit less
    confusing with spaces (thanks, Nicolas Valcárcel; LP: #89945).
  * Backport from 4.9p1:
    - Ignore ~/.ssh/rc if a sshd_config ForceCommand is specified (see
      http://www.securityfocus.com/bid/28531/info).
    - Add no-user-rc authorized_keys option to disable execution of
      ~/.ssh/rc.
  * Backport from Simon Wilkinson's GSSAPI key exchange patch for 5.0p1:
    - Add code to actually implement GSSAPIStrictAcceptorCheck, which had
      somehow been omitted from a previous version of this patch (closes:
      #474246).

 -- Colin Watson <email address hidden> Sun, 06 Apr 2008 12:34:19 +0100

I believe this is already on the security team's list for earlier releases.

So many things to check... Okay. Just checked at packages.ubuntu.com.

Regarding CVE-2008-1657
- there is no USN
- nothing is mentioned in the changelogs of the corresponding packages for Dapper/Feisty/Gutsy

The last update on those packages are from Kees on April 1st for CVE-2008-1483 as I see it; Hardy and Intrepid indeed have CVE-2008-1657 in the changelog.

Did not apply to Dapper or Feisty. Already fixed in Hardy and Intrepid. USN published for Gutsy: http://www.ubuntu.com/usn/usn-649-1