Upstream information

CVE-2008-1657 at MITRE

Description

OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 6.5
Vector AV:N/AC:L/Au:S/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Note from the SUSE Security Team

SUSE Linux Enterprise 10 SP 3 and earlier included versions up to openssh 4.2p1, which are not affected by this problem. SUSE Linux Enterprise 10 SP4 and later versions include versions of openssh 5.1p1 and later, which are no longer affected by this problem. As we had no shipping openssh on SUSE Linux Enterprise in the affected range of 4.4 up to 4.9, we did not need to release updates. Updates for openSUSE 10.2 and 10.3 have been released.

SUSE Bugzilla entry: 376668 [RESOLVED / FIXED]

SUSE Security Advisories: