Bug 440268 (CVE-2008-1657)
| Summary: | CVE-2008-1657 openssh: commands in ~/.ssh/rc override ForceCommand directive | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | tmraz |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-12-23 16:54:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 280461, 440375, 440376 | ||
| Bug Blocks: | |||
|
Description
Tomas Hoger
2008-04-02 15:34:40 UTC
Affects only F7, F8 & Rawhide. Tomas is obviously right. ForceCommand directive was introduced in OpenSSH version 4.4 (http://openssh.org/txt/release-4.4): Changes since OpenSSH 4.3: ============================ [...] * Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. Therefore, this issue did not affect versions of openssh packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. |