XPost: linux.debian.devel.release
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc:
openssh@packages.debian.org
Control: affects -1 + src:openssh
User:
release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
The security team marked CVE-2025-32728 (#1102603) as no-dsa, but I'd
like to at least get the fix into the next stable point release.
The bug is not a regression from any version I know of; it's present
back to at least stretch.
[ Impact ]
The DisableForwarding option in sshd_config doesn't do what it says in
the documentation in terms of disabling X11 and agent forwarding (both
of which are enabled by default in Debian; in the former case this is Debian-specific).
[ Tests ]
There are no particular automated tests, but I've manually tested that "DisableForwarding yes" didn't disable X11 or agent forwarding with the
old version and that it now does.
[ Risks ]
The change just adds a single extra option check to two conditions, so I consider it low-risk.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
fix-disable-forwarding.patch adds options.disable_forwarding checks to
the agent and X11 forwarding paths.
There's a bit of noise due to git deciding to serialize the existing CVE-2023-48795.patch and gssapi.patch, but the actual code there is
unchanged.
Thanks,
--
Colin Watson (he/him) [
cjwatson@debian.org]
diff -Nru openssh-9.2p1/debian/.git-dpm openssh-9.2p1/debian/.git-dpm
--- openssh-9.2p1/debian/.git-dpm 2025-02-14 13:06:46.000000000 +0000
+++ openssh-9.2p1/debian/.git-dpm 2025-04-15 12:07:49.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package -b430b77904fa045d5753bad32f6c8a582396db57 -b430b77904fa045d5753bad32f6c8a582396db57 +cf9b65754f0e54de11d075fc7317ae90a1ae4389 +cf9b65754f0e54de11d075fc7317ae90a1ae4389
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
openssh_9.2p1.orig.tar.gz
diff -Nru openssh-9.2p1/debian/changelog openssh-9.2p1/debian/changelog
--- openssh-9.2p1/debian/changelog 2025-02-14 13:06:51.000000000 +0000
+++ openssh-9.2p1/debian/changelog 2025-04-15 12:07:53.000000000 +0100
@@ -1,3 +1,11 @@
+openssh (1:9.2p1-2+deb12u6) UNRELEASED; urgency=medium
+
+ * CVE-2025-32728: sshd(8): fix the DisableForwarding directive, which was
+ failing to disable X11 forwarding and agent forwarding as documented
+ (closes: #1102603).
+
+ -- Colin Watson <
cjwatson@debian.org> Tue, 15 Apr 2025 12:0