OpenSSH developers up the ante with version 5.0
Only a few days after releasing OpenSSH 4.9, the developers have launched version 5.0 to resolve a vulnerability. In certain circumstances, the SSH daemon links TCP ports to a local IPv6 interface if all the ports at the IPv4 interface have already been allocated. According to a report, this could be exploited by users logged in with restricted privileges to spy on X11 forwarding sessions.
In their release notes, the developers apologise for releasing two new versions in such quick succession, saying that they only found out about the hole through a public CVE report. According to the notes, although the maintainers of Debian were originally informed about the hole in January they neglected to pass on the information.
However, the flaw was already added to Secunia's public database of vulnerabilities on March 26, and the CVE entry is dated March 24. It appears that this might have given the developers enough time to at least delay the release of version 4.9, which was scheduled for March 30, by a few days.
See also:
- ssh: unprivileged users may hijack forwarded X connections by listening on port 6010, report in the Debian bug database
- OpenSSH 5.0 has just been released, developers' release notes
(mba)