On Tue, Feb 27, 2024 at 12:56:47PM +0100, Csillag Tamas wrote:
* What led up to the situation?
After upgrading to debian 12 I am seeing directories in /tmp
like:
ssh-XXXXXXnOKqkt, ssh-XXXXXXtGmfLV
* What was the outcome of this action?
* What outcome did you expect instead?
These directories are created by sshd.
In oldstable and OpenBSD the directories are as expected:
ssh-LwxtSMoGSV, ssh-JPcQMaBN6s
The regression might be only in openssh-portable?
As there are still 6 variable characters this might not be easily
exploitable
security-wise and it used to be 10 just as in OpenBSD current.
This is the same as https://bugs.debian.org/1001186; it's fixed for the
next development release, but not yet for bookworm.
Since this doesn't appear to be immediately serious, my inclination is
to queue this up to fix along with the next bookworm openssh security
update (whenever that might be), but not to trouble the security team
with it right away. Does that sound reasonable?