CVE-2016-1908

Name	CVE-2016-1908
Description	The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-1500-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
openssh (PTS)	buster	1:7.9p1-10+deb10u2	fixed
	buster (security)	1:7.9p1-10+deb10u4	fixed
	bullseye (security), bullseye	1:8.4p1-5+deb11u3	fixed
	bookworm, bookworm (security)	1:9.2p1-2+deb12u2	fixed
	trixie	1:9.6p1-4	fixed
	sid	1:9.7p1-4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
openssh	source	jessie	1:6.7p1-5+deb8u6		DLA-1500-1
openssh	source	(unstable)	1:7.2p1-1

Notes

[wheezy] - openssh <no-dsa> (Minor issue)
[squeeze] - openssh <no-dsa> (Minor issue)
Upstream commit: https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
which needs to be applied after: https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f
Background information on X11 SECURITY extension and SSH: https://thejh.net/written-stuff/openssh-6.8-xsecurity
https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html
Red Hat Bugzilla entry: https://bugzilla.redhat.com/show_bug.cgi?id=1298741
vulnerability is partly due to /etc/X11/Xsession.d/35x11-common_xhost-local introduced in x11-common in 1:7.6+9 (wheezy and up)
https://lists.debian.org/debian-lts/2016/01/msg00029.html
Upstream announce: http://www.openssh.com/txt/release-7.2