OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Openssh | Openbsd | 4.3p2 (including) | 4.3p2 (including) |
| Red Hat Enterprise Linux 4 | RedHat | openssh-0:3.9p1-8.RHEL4.9 | * |
| Openssh | Ubuntu | dapper | * |
| Openssh | Ubuntu | edgy | * |
| Openssh | Ubuntu | feisty | * |
| Openssh | Ubuntu | gutsy | * |