Urgent - Potential security hole.
Robert L Cochran
cochranb at speakeasy.net
Sat Oct 30 16:13:06 UTC 2004
Satish Balay wrote:
>On Sat, 30 Oct 2004, Paul wrote:
>
>
>
>>Hi,
>>
>>I think I've found a hole!
>>
>>I logged into this box from work yesterday via ssh, compiled Mono and
>>some other bits then decided to try if I could run a C# app from this
>>machine and view it at work.
>>
>>I don't have X forwarding enabled and can see this by trying to run
>>Firefox on this machine when logged into my sons box - firefox fails to
>>run.
>>
>>The C# application ran and I could use it at work.
>>
>>I'm using the 643 kernel with everything updated. I'm not sure if this
>>is a mono thing or X forwarding being broken. I'm using selinux
>>targetted.
>>
>>This could be a serious problem and I want to be sure before putting it
>>into bugzilla as a blocker.
>>
>>
>
>You mention 3 different machines 'this box', 'work', 'sons box'. - and
>don't quantify any of them correctly. (which OSes do they run?)
>
>Older ssh by default does 'X11Forwarding' (so firefox should
>work). New version of ssh on FC3 requires '-y' option to do the same.
>
>If you ssh into FC3 (from a different machine with older ssh) - you
>can run firefox. If you ssh from FC3 into any other machine - you
>need 'ssh -y' for it to work.
>
>Note: this is ssh client side option.
>
>Satish
>
>
>
I agree with Satish. Read the release notes for RC5. There is a section
on openssh.
Bob
More information about the fedora-test-list
mailing list