• Bug#1102603: openssh: CVE-2025-32728

    From Salvatore Bonaccorso@21:1/5 to All on Thu Apr 10 22:30:01 2025
    Source: openssh
    Version: 1:7.4p1-1
    Severity: important
    Tags: security upstream
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for openssh.

    CVE-2025-32728[0]:
    | In sshd in OpenSSH before 10.0, the DisableForwarding directive does
    | not adhere to the documentation stating that it disables X11 and
    | agent forwarding.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-32728
    https://www.cve.org/CVERecord?id=CVE-2025-32728
    [1] https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367
    [2] https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.html

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Colin Watson@21:1/5 to Salvatore Bonaccorso on Tue Apr 15 15:40:01 2025
    On Thu, Apr 10, 2025 at 10:20:44PM +0200, Salvatore Bonaccorso wrote:
    The following vulnerability was published for openssh.

    CVE-2025-32728[0]:
    | In sshd in OpenSSH before 10.0, the DisableForwarding directive does
    | not adhere to the documentation stating that it disables X11 and
    | agent forwarding.

    I'd like to upload the attached changes to bookworm-security, as well as
    to bullseye-security for LTS (after the usual changelog finalization).
    Do these debdiffs look good to you? There's a bit of noise due to git
    deciding to serialize some patches slightly differently, but the added
    patch is the only effective change in both cases.

    Thanks,

    --
    Colin Watson (he/him) [cjwatson@debian.org]

    diff -Nru openssh-9.2p1/debian/.git-dpm openssh-9.2p1/debian/.git-dpm
    --- openssh-9.2p1/debian/.git-dpm 2025-02-14 13:06:46.000000000 +0000
    +++ openssh-9.2p1/debian/.git-dpm 2025-04-15 12:07:49.000000000 +0100
    @@ -1,6 +1,6 @@
    # see git-dpm(1) from git-dpm package -b430b77904fa045d5753bad32f6c8a582396db57 -b430b77904fa045d5753bad32f6c8a582396db57 +cf9b65754f0e54de11d075fc7317ae90a1ae4389 +cf9b65754f0e54de11d075fc7317ae90a1ae4389
    cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
    cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
    openssh_9.2p1.orig.tar.gz
    diff -Nru openssh-9.2p1/debian/changelog openssh-9.2p1/debian/changelog
    --- openssh-9.2p1/debian/changelog 2025-02-14 13:06:51.000000000 +0000
    +++ openssh-9.2p1/debian/changelog 2025-04-15 12:07:53.000000000 +0100
    @@ -1,3 +1,11 @@
    +openssh (1:9.2p1-2+deb12u6) UNRELEASED; urgency=medium
    +
    + * CVE-2025-32728: sshd(8): fix the DisableForwarding directive, which was
    + failing to disable X11 forwarding and agent forwarding as documented
    + (closes: #1102603).
    +
    + -- Colin Watson <cjwatson@debian.org> Tue, 15 Apr 2025 12:0
  • From Salvatore Bonaccorso@21:1/5 to Colin Watson on Tue Apr 15 21:50:01 2025
    Hi Colin,

    On Tue, Apr 15, 2025 at 02:36:09PM +0100, Colin Watson wrote:
    On Thu, Apr 10, 2025 at 10:20:44PM +0200, Salvatore Bonaccorso wrote:
    The following vulnerability was published for openssh.

    CVE-2025-32728[0]:
    | In sshd in OpenSSH before 10.0, the DisableForwarding directive does
    | not adhere to the documentation stating that it disables X11 and
    | agent forwarding.

    I'd like to upload the attached changes to bookworm-security, as well as to bullseye-security for LTS (after the usual changelog finalization). Do
    these debdiffs look good to you? There's a bit of noise due to git deciding to serialize some patches slightly differently, but the added patch is the only effective change in both cases.

    We initially marked it as no-dsa for bookworm and so the fix could go
    to the next point release. But given you are suggesting a DSA, maybe
    we might have missed something important here? Can you elaborate where
    we might have overseen something makeing it warrant a DSA?

    What I do understand is that the sshd side envforcing is so not doing
    as documented, and AllowAgentForwarding is by default on yes, where X11Forwarding is changed to default to yes in Debian.
    So we have in any case a slight difference here in Debian vs.
    upstream. ForwardAgent client side is disabled by default.

    And this has been broken for afaiu so many years that batching the
    update in the next point release seemed initially sufficient?

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Colin Watson@21:1/5 to Salvatore Bonaccorso on Wed Apr 23 13:50:02 2025
    On Tue, Apr 15, 2025 at 09:38:21PM +0200, Salvatore Bonaccorso wrote:
    On Tue, Apr 15, 2025 at 02:36:09PM +0100, Colin Watson wrote:
    On Thu, Apr 10, 2025 at 10:20:44PM +0200, Salvatore Bonaccorso wrote:
    The following vulnerability was published for openssh.

    CVE-2025-32728[0]:
    | In sshd in OpenSSH before 10.0, the DisableForwarding directive does
    | not adhere to the documentation stating that it disables X11 and
    | agent forwarding.

    I'd like to upload the attached changes to bookworm-security, as well as to >> bullseye-security for LTS (after the usual changelog finalization). Do
    these debdiffs look good to you? There's a bit of noise due to git deciding >> to serialize some patches slightly differently, but the added patch is the >> only effective change in both cases.

    We initially marked it as no-dsa for bookworm and so the fix could go
    to the next point release. But given you are suggesting a DSA, maybe
    we might have missed something important here? Can you elaborate where
    we might have overseen something makeing it warrant a DSA?

    What I do understand is that the sshd side envforcing is so not doing
    as documented, and AllowAgentForwarding is by default on yes, where >X11Forwarding is changed to default to yes in Debian.
    So we have in any case a slight difference here in Debian vs.
    upstream. ForwardAgent client side is disabled by default.

    And this has been broken for afaiu so many years that batching the
    update in the next point release seemed initially sufficient?

    No, that's fine, I hadn't noticed that you'd marked it as no-dsa. I'll
    file a stable update bug for it.

    Thanks,

    --
    Colin Watson (he/him) [cjwatson@debian.org]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvatore Bonaccorso@21:1/5 to Colin Watson on Thu Apr 24 21:00:01 2025
    Hi Colin,

    On Wed, Apr 23, 2025 at 12:38:41PM +0100, Colin Watson wrote:
    On Tue, Apr 15, 2025 at 09:38:21PM +0200, Salvatore Bonaccorso wrote:
    On Tue, Apr 15, 2025 at 02:36:09PM +0100, Colin Watson wrote:
    On Thu, Apr 10, 2025 at 10:20:44PM +0200, Salvatore Bonaccorso wrote:
    The following vulnerability was published for openssh.

    CVE-2025-32728[0]:
    | In sshd in OpenSSH before 10.0, the DisableForwarding directive does | not adhere to the documentation stating that it disables X11 and
    | agent forwarding.

    I'd like to upload the attached changes to bookworm-security, as well as to
    bullseye-security for LTS (after the usual changelog finalization). Do these debdiffs look good to you? There's a bit of noise due to git deciding
    to serialize some patches slightly differently, but the added patch is the
    only effective change in both cases.

    We initially marked it as no-dsa for bookworm and so the fix could go
    to the next point release. But given you are suggesting a DSA, maybe
    we might have missed something important here? Can you elaborate where
    we might have overseen something makeing it warrant a DSA?

    What I do understand is that the sshd side envforcing is so not doing
    as documented, and AllowAgentForwarding is by default on yes, where X11Forwarding is changed to default to yes in Debian.
    So we have in any case a slight difference here in Debian vs.
    upstream. ForwardAgent client side is disabled by default.

    And this has been broken for afaiu so many years that batching the
    update in the next point release seemed initially sufficient?

    No, that's fine, I hadn't noticed that you'd marked it as no-dsa. I'll file a stable update bug for it.

    Thank you!

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)