On Wed, 19 Mar 2014, mancha wrote:
> Hello.
>
> For the purposes of backporting, can you please confirm the relevant
> change for the environment variable security fix in 6.6 is:
>
>
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.270;r2=1.271
Only the first chunk of the diff is strictly needed, the rest is hygiene.
> FYI, not sure if the request originated with OpenBSD/OpenSSH but this
> has been assigned CVE-2014-2532.
Sigh, another inaccurate OpenSSH CVE. "Authentication: Not required to
exploit",
-d