Yes, their was a OPENSSH vunerability reported a few days ago. This is taken from the BUGTRAQ at SECURITYFOCUS.COM mailing list: *snip* Hostile servers can force OpenSSH clients to do agent or X11 forwarding 1. Systems affected: All versions of OpenSSH prior to 2.3.0 are affected. 2. Description: If agent or X11 forwarding is disabled in the ssh client configuration, the client does not request these features during session setup. This is the correct behaviour. However, when the ssh client receives an actual request asking for access to the ssh-agent, the client fails to check whether this feature has been negotiated during session setup. The client does not check whether the request is in compliance with the client configuration and grants access to the ssh-agent. A similar problem exists in the X11 forwarding implementation. 3. Impact: Hostile servers can access your X11 display or your ssh-agent. 4. Short Term Solution: Clear both the $DISPLAY and the $SSH_AUTH_SOCK variable before connecting to untrusted hosts: % unset SSH_AUTH_SOCK; unset DISPLAY; ssh host 5. Solution: Upgrade to OpenSSH-2.3.0 or apply the attached patch. OpenSSH-2.3.0 is available from www.openssh.com. 6. Credits: Thanks to Jacob Langseth <jwl at pobox.com> for pointing out the X11 forwarding issue. *snip* > -----Original Message----- > From: tclug-list-admin at lists.real-time.com > [mailto:tclug-list-admin at lists.real-time.com]On Behalf Of > dopp at acm.cs.umn.edu > Sent: Wednesday, November 15, 2000 2:48 PM > To: HOEFFNER at dcmir.med.umn.edu; tclug-list at mn-linux.org > Cc: dopp at acm.cs.umn.edu > Subject: [TCLUG] Re: [TCLUG:23792] OPENSSH > > > You may as well compile 2.3.0p1. I just compiled it one a default RH6.2 > install (well, I had to install OpenSSL first, of course) and it compiled > just fine. Beside, OpenSSH just announced a bug in versions < 2.3.0 that > allows people to arbitrarily open X authentication through you, or some > such evil thing. The notice came out a couple days ago. Sadly, I've > deleted it, but I'm sure it's on their page somewhere. > > Gabe > > On Wed, Nov 15, 2000 at 02:36:03PM -0600, > HOEFFNER at dcmir.med.umn.edu wrote: > > Hi > > > > Thanks for the reply. I'm installing 2.2.0p1. I've managed to > install it on 2 > > versions of Irix, but not without a few difficulties. Now this. > I'm figuring I > > must've run configure wrong since it really shouldn't be as > difficult as it has > > been, but I can't see how. I was hoping some of you guys > would've seen this > > before. Oh well... > > > > Thanks again > > > > Ed Hoeffner > > -- > ------------------------------------------------------------------ > -------------- > Gabe Turner | X-President, > UNIX Systems Administrator, | Assoc. for > Computing Machinery > U of M Supercomputing Institute for | University of Minnesohta > Digital Simulation and Advanced Computation | dopp at acm.cs.umn.edu > > "Of all the systems of religion that ever were invented, there is no more > derogatory to the Almighty, more unedifiying to man, more > repugnant to reason, > and more contradictory to itself than this thing called Christianity." > - Thomas Paine > ------------------------------------------------------------------ > ------------- > _______________________________________________ > tclug-list mailing list > tclug-list at lists.real-time.com > https://mailman.real-time.com/mailman/listinfo/tclug-list >