• Bug#1103979: bookworm-pu: package openssh/1:9.2p1-2+deb12u6

    From Colin Watson@21:1/5 to All on Wed Apr 23 14:00:01 2025
    XPost: linux.debian.devel.release

    Package: release.debian.org
    Severity: normal
    Tags: bookworm
    X-Debbugs-Cc: openssh@packages.debian.org
    Control: affects -1 + src:openssh
    User: release.debian.org@packages.debian.org
    Usertags: pu

    [ Reason ]
    The security team marked CVE-2025-32728 (#1102603) as no-dsa, but I'd
    like to at least get the fix into the next stable point release.

    The bug is not a regression from any version I know of; it's present
    back to at least stretch.

    [ Impact ]
    The DisableForwarding option in sshd_config doesn't do what it says in
    the documentation in terms of disabling X11 and agent forwarding (both
    of which are enabled by default in Debian; in the former case this is Debian-specific).

    [ Tests ]
    There are no particular automated tests, but I've manually tested that "DisableForwarding yes" didn't disable X11 or agent forwarding with the
    old version and that it now does.

    [ Risks ]
    The change just adds a single extra option check to two conditions, so I consider it low-risk.

    [ Checklist ]
    [x] *all* changes are documented in the d/changelog
    [x] I reviewed all changes and I approve them
    [x] attach debdiff against the package in (old)stable
    [x] the issue is verified as fixed in unstable

    [ Changes ]
    fix-disable-forwarding.patch adds options.disable_forwarding checks to
    the agent and X11 forwarding paths.

    There's a bit of noise due to git deciding to serialize the existing CVE-2023-48795.patch and gssapi.patch, but the actual code there is
    unchanged.

    Thanks,

    --
    Colin Watson (he/him) [cjwatson@debian.org]

    diff -Nru openssh-9.2p1/debian/.git-dpm openssh-9.2p1/debian/.git-dpm
    --- openssh-9.2p1/debian/.git-dpm 2025-02-14 13:06:46.000000000 +0000
    +++ openssh-9.2p1/debian/.git-dpm 2025-04-15 12:07:49.000000000 +0100
    @@ -1,6 +1,6 @@
    # see git-dpm(1) from git-dpm package -b430b77904fa045d5753bad32f6c8a582396db57 -b430b77904fa045d5753bad32f6c8a582396db57 +cf9b65754f0e54de11d075fc7317ae90a1ae4389 +cf9b65754f0e54de11d075fc7317ae90a1ae4389
    cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
    cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
    openssh_9.2p1.orig.tar.gz
    diff -Nru openssh-9.2p1/debian/changelog openssh-9.2p1/debian/changelog
    --- openssh-9.2p1/debian/changelog 2025-02-14 13:06:51.000000000 +0000
    +++ openssh-9.2p1/debian/changelog 2025-04-15 12:07:53.000000000 +0100
    @@ -1,3 +1,11 @@
    +openssh (1:9.2p1-2+deb12u6) UNRELEASED; urgency=medium
    +
    + * CVE-2025-32728: sshd(8): fix the DisableForwarding directive, which was
    + failing to disable X11 forwarding and agent forwarding as documented
    + (closes: #1102603).
    +
    + -- Colin Watson <cjwatson@debian.org> Tue, 15 Apr 2025 12:0
  • From Adam D. Barratt@21:1/5 to Colin Watson on Sun May 4 13:00:01 2025
    XPost: linux.debian.maint.boot, linux.debian.devel.release

    Control: tags -1 + confirmed

    On Wed, 2025-04-23 at 12:52 +0100, Colin Watson wrote:
    The security team marked CVE-2025-32728 (#1102603) as no-dsa, but I'd
    like to at least get the fix into the next stable point release.

    The bug is not a regression from any version I know of; it's present
    back to at least stretch.

    [ Impact ]
    The DisableForwarding option in sshd_config doesn't do what it says
    in the documentation in terms of disabling X11 and agent forwarding
    (both of which are enabled by default in Debian; in the former case
    this is Debian-specific).

    Please go ahead.

    Regards,

    Adam

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adam D Barratt@21:1/5 to All on Thu May 8 22:30:01 2025
    XPost: linux.debian.devel.release

    package release.debian.org
    tags 1103979 = bookworm pending
    thanks

    Hi,

    The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

    Thanks for your contribution!

    Upload details
    ==============

    Package: openssh
    Version: 9.2p1-2+deb12u6

    Explanation: fix the DisableForwarding directive [CVE-2025-32728]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)