Source: openssh
Version: 1:7.4p1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for openssh.

CVE-2025-32728[0]:
| In sshd in OpenSSH before 10.0, the DisableForwarding directive does
| not adhere to the documentation stating that it disables X11 and
| agent forwarding.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-32728
https://www.cve.org/CVERecord?id=CVE-2025-32728
[1] https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367
[2] https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.html

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Apr 10, 2025 at 10:20:44PM +0200, Salvatore Bonaccorso wrote:

The following vulnerability was published for openssh.

CVE-2025-32728[0]:
| In sshd in OpenSSH before 10.0, the DisableForwarding directive does
| not adhere to the documentation stating that it disables X11 and
| agent forwarding.

I'd like to upload the attached changes to bookworm-security, as well as
to bullseye-security for LTS (after the usual changelog finalization).
Do these debdiffs look good to you? There's a bit of noise due to git
deciding to serialize some patches slightly differently, but the added
patch is the only effective change in both cases.

Thanks,

--
Colin Watson (he/him) [cjwatson@debian.org]

diff -Nru openssh-9.2p1/debian/.git-dpm openssh-9.2p1/debian/.git-dpm
--- openssh-9.2p1/debian/.git-dpm 2025-02-14 13:06:46.000000000 +0000
+++ openssh-9.2p1/debian/.git-dpm 2025-04-15 12:07:49.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package -b430b77904fa045d5753bad32f6c8a582396db57 -b430b77904fa045d5753bad32f6c8a582396db57 +cf9b65754f0e54de11d075fc7317ae90a1ae4389 +cf9b65754f0e54de11d075fc7317ae90a1ae4389
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
openssh_9.2p1.orig.tar.gz
diff -Nru openssh-9.2p1/debian/changelog openssh-9.2p1/debian/changelog
--- openssh-9.2p1/debian/changelog 2025-02-14 13:06:51.000000000 +0000
+++ openssh-9.2p1/debian/changelog 2025-04-15 12:07:53.000000000 +0100
@@ -1,3 +1,11 @@
+openssh (1:9.2p1-2+deb12u6) UNRELEASED; urgency=medium
+
+ * CVE-2025-32728: sshd(8): fix the DisableForwarding directive, which was
+ failing to disable X11 forwarding and agent forwarding as documented
+ (closes: #1102603).
+
+ -- Colin Watson <cjwatson@debian.org> Tue, 15 Apr 2025 12:0

Hi Colin,

On Tue, Apr 15, 2025 at 02:36:09PM +0100, Colin Watson wrote:

On Thu, Apr 10, 2025 at 10:20:44PM +0200, Salvatore Bonaccorso wrote:

The following vulnerability was published for openssh.

CVE-2025-32728[0]:
| In sshd in OpenSSH before 10.0, the DisableForwarding directive does
| not adhere to the documentation stating that it disables X11 and
| agent forwarding.

I'd like to upload the attached changes to bookworm-security, as well as to bullseye-security for LTS (after the usual changelog finalization). Do
these debdiffs look good to you? There's a bit of noise due to git deciding to serialize some patches slightly differently, but the added patch is the only effective change in both cases.

We initially marked it as no-dsa for bookworm and so the fix could go
to the next point release. But given you are suggesting a DSA, maybe
we might have missed something important here? Can you elaborate where
we might have overseen something makeing it warrant a DSA?

What I do understand is that the sshd side envforcing is so not doing
as documented, and AllowAgentForwarding is by default on yes, where X11Forwarding is changed to default to yes in Debian.
So we have in any case a slight difference here in Debian vs.
upstream. ForwardAgent client side is disabled by default.

And this has been broken for afaiu so many years that batching the
update in the next point release seemed initially sufficient?

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Apr 15, 2025 at 09:38:21PM +0200, Salvatore Bonaccorso wrote:

On Tue, Apr 15, 2025 at 02:36:09PM +0100, Colin Watson wrote:

On Thu, Apr 10, 2025 at 10:20:44PM +0200, Salvatore Bonaccorso wrote:

The following vulnerability was published for openssh.

CVE-2025-32728[0]:
| In sshd in OpenSSH before 10.0, the DisableForwarding directive does
| not adhere to the documentation stating that it disables X11 and
| agent forwarding.

I'd like to upload the attached changes to bookworm-security, as well as to >> bullseye-security for LTS (after the usual changelog finalization). Do
these debdiffs look good to you? There's a bit of noise due to git deciding >> to serialize some patches slightly differently, but the added patch is the >> only effective change in both cases.

We initially marked it as no-dsa for bookworm and so the fix could go
to the next point release. But given you are suggesting a DSA, maybe
we might have missed something important here? Can you elaborate where
we might have overseen something makeing it warrant a DSA?

What I do understand is that the sshd side envforcing is so not doing
as documented, and AllowAgentForwarding is by default on yes, where >X11Forwarding is changed to default to yes in Debian.
So we have in any case a slight difference here in Debian vs.
upstream. ForwardAgent client side is disabled by default.

And this has been broken for afaiu so many years that batching the
update in the next point release seemed initially sufficient?

No, that's fine, I hadn't noticed that you'd marked it as no-dsa. I'll
file a stable update bug for it.

Thanks,

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Colin,

On Wed, Apr 23, 2025 at 12:38:41PM +0100, Colin Watson wrote:

On Tue, Apr 15, 2025 at 09:38:21PM +0200, Salvatore Bonaccorso wrote:

On Tue, Apr 15, 2025 at 02:36:09PM +0100, Colin Watson wrote:

On Thu, Apr 10, 2025 at 10:20:44PM +0200, Salvatore Bonaccorso wrote:

The following vulnerability was published for openssh.

CVE-2025-32728[0]:
| In sshd in OpenSSH before 10.0, the DisableForwarding directive does | not adhere to the documentation stating that it disables X11 and
| agent forwarding.

I'd like to upload the attached changes to bookworm-security, as well as to
bullseye-security for LTS (after the usual changelog finalization). Do these debdiffs look good to you? There's a bit of noise due to git deciding
to serialize some patches slightly differently, but the added patch is the
only effective change in both cases.

We initially marked it as no-dsa for bookworm and so the fix could go
to the next point release. But given you are suggesting a DSA, maybe
we might have missed something important here? Can you elaborate where
we might have overseen something makeing it warrant a DSA?

What I do understand is that the sshd side envforcing is so not doing
as documented, and AllowAgentForwarding is by default on yes, where X11Forwarding is changed to default to yes in Debian.
So we have in any case a slight difference here in Debian vs.
upstream. ForwardAgent client side is disabled by default.

And this has been broken for afaiu so many years that batching the
update in the next point release seemed initially sufficient?

No, that's fine, I hadn't noticed that you'd marked it as no-dsa. I'll file a stable update bug for it.

Thank you!

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)