Launchpad.net

CVE 2008-1657

OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file.

Related bugs and status

CVE-2008-1657 (Candidate) is related to these bugs:

Bug #227322: [openssh] [CVE-2008-1657] possibility to bypass global "ForceCommand" directive

		In	Importance	Status
227322	[openssh] [CVE-2008-1657] possibility to bypass global "ForceCommand" directive	openssh (Ubuntu)	Undecided	Fix Released
227322	[openssh] [CVE-2008-1657] possibility to bypass global "ForceCommand" directive	openssh (Ubuntu Gutsy)	Low	Fix Released
227322	[openssh] [CVE-2008-1657] possibility to bypass global "ForceCommand" directive	openssh (Ubuntu Hardy)	Undecided	Fix Released
227322	[openssh] [CVE-2008-1657] possibility to bypass global "ForceCommand" directive	openssh (Ubuntu Intrepid)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://www.openssh.com...
CONFIRM: https://issues.rpath.c...
OPENBSD: [4.3] 001: SECURITY FI...
BID: 28531
SECTRACK: 1019733
SECUNIA: 29602
SECUNIA: 29609
CONFIRM: http://wiki.rpath.com/...
GENTOO: GLSA-200804-03
SUSE: SUSE-SR:2008:009
SECUNIA: 29683
SECUNIA: 29693
SECUNIA: 29735
NETBSD: NetBSD-SA2008-005
SECUNIA: 29939
CONFIRM: http://aix.software.ib...
SECUNIA: 30361
CONFIRM: http://support.attachm...
APPLE: APPLE-SA-2008-09-15
SECUNIA: 31531
SECUNIA: 31882
CERT: TA08-260A
UBUNTU: USN-649-1
SECUNIA: 32080
SECUNIA: 32110
MANDRIVA: MDVSA-2008:098
VUPEN: ADV-2008-1035
VUPEN: ADV-2008-1624
VUPEN: ADV-2008-2584
VUPEN: ADV-2008-2396
XF: openssh-forcecommand-c...
BUGTRAQ: 20080404 rPSA-2008-013...