MFC r311914: MFV r311913:

Fix multiple OpenSSH vulnerabilities. Submitted by: des Approved by: so
author: delphij <delphij@FreeBSD.org> 2017-01-11 05:56:40 +0000
committer: delphij <delphij@FreeBSD.org> 2017-01-11 05:56:40 +0000
commit: 01991d8d9a5ef8038fb70e3084e07d1eaeed4e0d (patch)
tree: 73e37f1e585cae50c2fe9162c37c3923a63fc633 /crypto/openssh/serverloop.c
parent: 3b7c487a04a0e2640bc7c0236572c196f0af6939 (diff)
download: FreeBSD-src-01991d8d9a5ef8038fb70e3084e07d1eaeed4e0d.zip
FreeBSD-src-01991d8d9a5ef8038fb70e3084e07d1eaeed4e0d.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/crypto/openssh/serverloop.c b/crypto/openssh/serverloop.c
index 80d1db5..f5c362d 100644
--- a/crypto/openssh/serverloop.c
+++ b/crypto/openssh/serverloop.c
@@ -995,7 +995,7 @@ server_request_direct_streamlocal(void)
 
 	/* XXX fine grained permissions */
 	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
-	    !no_port_forwarding_flag) {
+	    !no_port_forwarding_flag && use_privsep) {
 		c = channel_connect_to_path(target,
 		    "direct-streamlocal@openssh.com", "direct-streamlocal");
 	} else {
@@ -1279,7 +1279,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
 
 		/* check permissions */
 		if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
-		    || no_port_forwarding_flag) {
+		    || no_port_forwarding_flag || !use_privsep) {
 			success = 0;
 			packet_send_debug("Server has disabled port forwarding.");
 		} else {
author	delphij <delphij@FreeBSD.org>	2017-01-11 05:56:40 +0000
committer	delphij <delphij@FreeBSD.org>	2017-01-11 05:56:40 +0000
commit	01991d8d9a5ef8038fb70e3084e07d1eaeed4e0d (patch)
tree	73e37f1e585cae50c2fe9162c37c3923a63fc633 /crypto/openssh/serverloop.c
parent	3b7c487a04a0e2640bc7c0236572c196f0af6939 (diff)
download	FreeBSD-src-01991d8d9a5ef8038fb70e3084e07d1eaeed4e0d.zip FreeBSD-src-01991d8d9a5ef8038fb70e3084e07d1eaeed4e0d.tar.gz