Many issues discussed at URL, but only the local privilege escalations seem to be properly fixed, and there's a bunch of patches: https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596 https://github.com/tmate-io/tmate-ssh-server/commit/36f073b4ccf05da2fd51cc10a2debb443c592c50 https://github.com/tmate-io/tmate-ssh-server/commit/b41672b634af4ec8797449e78e4b731e24e26e16 https://github.com/tmate-io/tmate-ssh-server/commit/1f314123df2bb29cb07427ed8663a81c8d9034fd No release upstream.
hi security team, The app-misc/tmate package in portage tree is solely the client side of the application, it do require a server side: tmate-ssh-server. And, this security report mainly focus on the server side, then we probably can't do much at downstream side for the 2-3 section in [1], it's the design issue. so, my question here, what should we do for users? p.mask app-misc/tmate? warn user when they install this package? or any other idea/suggestion? [1] https://www.openwall.com/lists/oss-security/2021/12/06/2
(In reply to Yixun Lan from comment #1) > hi security team, > The app-misc/tmate package in portage tree is solely the client side of > the application, it do require a server side: tmate-ssh-server. And, this > security report mainly focus on the server side, then we probably can't do > much at downstream side for the 2-3 section in [1], it's the design issue. You're right, sorry for not noticing this before! > so, my question here, what should we do for users? p.mask app-misc/tmate? > warn user when they install this package? or any other idea/suggestion? > > > [1] https://www.openwall.com/lists/oss-security/2021/12/06/2 In my opinion, when someone installs something, they're explictly trusting it security-wise. Given there doesn't seem to be any specific vulnerabilities in the client that we have packaged, I don't think there's anything to do from a security perspective here. But if you think action is necessary in the client package, feel free!