2 files changed, 13 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian
index cb1444a47..4f076f898 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -115,6 +115,15 @@ As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
 the security risks of X11 forwarding. Look up X11UseLocalhost in
 sshd_config(8) if this is a problem.
+OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the
+ssh client to create an untrusted X cookie so that attacks on the
+forwarded X11 connection can't become attacks on X clients on the remote
+machine. However, this has some problems in implementation - notably a
+very short timeout of the untrusted cookie - breaks large numbers of
+existing setups, and generally seems immature. The Debian package
+therefore sets the default for this option to "no" (in ssh itself,
+rather than in ssh_config).
 Fallback to RSH
 ---------------
diff --git a/debian/changelog b/debian/changelog
index ef6d73a81..3d3ed1275 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,10 @@
 openssh (1:3.8p1-2) UNRELEASED; urgency=low
  * Disable PasswordAuthentication for new installations (closes: #236810).
+  * Turn off the new ForwardX11Trusted by default, returning to the
+    semantics of 3.7 and earlier, since it seems immature and causes far too
+    many problems with existing setups. See README.Debian for details
+    (closes: #237021).
 -- Colin Watson <cjwatson@debian.org>  Mon,  8 Mar 2004 14:38:54 +0000

diff --git a/debian/README.Debian b/debian/README.Debian index cb1444a47..4f076f898 100644 --- a/debian/README.Debian +++ b/debian/README.Debian
@@ -115,6 +115,15 @@ As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
115	the security risks of X11 forwarding. Look up X11UseLocalhost in	115	the security risks of X11 forwarding. Look up X11UseLocalhost in
116	sshd_config(8) if this is a problem.	116	sshd_config(8) if this is a problem.
117		117
		118	OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the
		119	ssh client to create an untrusted X cookie so that attacks on the
		120	forwarded X11 connection can't become attacks on X clients on the remote
		121	machine. However, this has some problems in implementation - notably a
		122	very short timeout of the untrusted cookie - breaks large numbers of
		123	existing setups, and generally seems immature. The Debian package
		124	therefore sets the default for this option to "no" (in ssh itself,
		125	rather than in ssh_config).
		126
118	Fallback to RSH	127	Fallback to RSH
119	---------------	128	---------------
120		129


diff --git a/debian/changelog b/debian/changelog index ef6d73a81..3d3ed1275 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,6 +1,10 @@
1	openssh (1:3.8p1-2) UNRELEASED; urgency=low	1	openssh (1:3.8p1-2) UNRELEASED; urgency=low
2		2
3	* Disable PasswordAuthentication for new installations (closes: #236810).	3	* Disable PasswordAuthentication for new installations (closes: #236810).
		4	* Turn off the new ForwardX11Trusted by default, returning to the
		5	semantics of 3.7 and earlier, since it seems immature and causes far too
		6	many problems with existing setups. See README.Debian for details
		7	(closes: #237021).
4		8
5	-- Colin Watson <cjwatson@debian.org> Mon, 8 Mar 2004 14:38:54 +0000	9	-- Colin Watson <cjwatson@debian.org> Mon, 8 Mar 2004 14:38:54 +0000
6		10