Summary: | app-misc/tmate: multiple vulnerabilities with tmate-ssh-server | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | trivial | CC: | dlan |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.openwall.com/lists/oss-security/2021/12/06/2 | ||
Whiteboard: | ~3 [upstream/ebuild] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
![]() ![]() ![]() ![]() hi security team, The app-misc/tmate package in portage tree is solely the client side of the application, it do require a server side: tmate-ssh-server. And, this security report mainly focus on the server side, then we probably can't do much at downstream side for the 2-3 section in [1], it's the design issue. so, my question here, what should we do for users? p.mask app-misc/tmate? warn user when they install this package? or any other idea/suggestion? [1] https://www.openwall.com/lists/oss-security/2021/12/06/2 (In reply to Yixun Lan from comment #1) > hi security team, > The app-misc/tmate package in portage tree is solely the client side of > the application, it do require a server side: tmate-ssh-server. And, this > security report mainly focus on the server side, then we probably can't do > much at downstream side for the 2-3 section in [1], it's the design issue. You're right, sorry for not noticing this before! > so, my question here, what should we do for users? p.mask app-misc/tmate? > warn user when they install this package? or any other idea/suggestion? > > > [1] https://www.openwall.com/lists/oss-security/2021/12/06/2 In my opinion, when someone installs something, they're explictly trusting it security-wise. Given there doesn't seem to be any specific vulnerabilities in the client that we have packaged, I don't think there's anything to do from a security perspective here. But if you think action is necessary in the client package, feel free! |