On Tue, Feb 14, 2006 at 03:19:58PM +0000, David Corking wrote:
1. Thanks for the patch and announcement today : SUSE-SA:2006:008
2. There seems to have been a co-ordinated disclosure and release of patches for CVE-2006-0225 on January 25. Why did SuSE (and Debian) not participate in that? Did the other vendors choose not to co-ordinate with SuSE (and Debian) ?
3. I have now avidly read the majorr reports of CVE-2006-0225, most of whom classify it as low priority, and all classify as local. It seems to me, from the reports I read, that it is a local privilege escalation that allows an authenticated scp user to execute arbitrary shell commands, even if they have scp-only privileges.
I am not in any way a skilled penetration tester - so I have to make a judgement based on what I read. Have I misunderstood the other reports, or have the other reports got it right, or have SuSE discovered something new that makes it indeed a *remote* vulnerability?
I was undecided too when chosing it, and I do not see a direct threat. It is post authentication. The only way I understand this is problematic is when you have a scp-only remote configuration and can then execute programs on the remote machine. Ciao, Marcus