1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 4377-1] rssh security update

    From Moritz Muehlenhoff@1:229/2 to All on Wed Jan 30 16:30:01 2019
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-4377-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff January 30, 2019 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : rssh
    CVE ID : CVE-2019-1000018
    Debian Bug : 919623

    The ESnet security team discovered a vulnerability in rssh, a restricted
    shell that allows users to perform only scp, sftp, cvs, svnserve
    (Subversion), rdist and/or rsync operations. Missing validation in the
    scp support could result in the bypass of this restriction, allowing the execution of arbitrary shell commands.

    Please note that with the update applied, the "-3" option of scp can no
    longer be used.

    For the stable distribution (stretch), this problem has been fixed in
    version 2.3.4-5+deb9u1.

    We recommend that you upgrade your rssh packages.

    For the detailed security status of rssh please refer to
    its security tracker page at:
    https://security-tracker.debian.org/tracker/rssh

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlxRwT0ACgkQEMKTtsN8 TjZcJA/8DwSA3ZfIQM2uQG/YRT5iOG4S9AV856qkqi98jZvCykbEY8HM1jLVBO8a zB10/DgR/ObbkX/FOQMV/JLNbJfzeY1wQyLWxr+0jHR1/X8eDkVekxABvIjA81PQ skVP2Xu6h8H3BcZDs75Bq+fFGMKjHTojqSPo83lj9WZoWJKJjxzJcgz9PgPzN+MF 3RHO5SEDG/Qgp2Laei4u+783NozHqglPKeellb0T8wwt7mQAfTNhYPYHbSgd7sPd AQt7SLD9SM4u+3qowdsKcmcH1n7QoG7grS1PiL7+oOas4Zw8ssgeGLlaeFJIb56y 3MHgCTNSAdJ55gQ13H9XkFEsRAU7p0PO+/Zs1H/7TB0uy/o9ZbyGk0m7nHGqAXKd KyHwDS9q2VMLBfJxDmSY78kVdRqX2+9IGdyz7jNyibEXlAc+Oa2/3WnXNZtlngy5 UIqyXSf9Pi4pXMQbeZqIP2RFGjhIKXr1GP1sBKKwGvxQKEqfHLTBfZdI4qWfKq7H SUfhRIYrJ+k/JBSE9nuGyz70GxwnMbZz/r5UBSBi/bbhZWeD+54DdN/0629A9Zar 9oMT4bSL2gZEi/CH/mfYo0duWdjPDRSkHrRDitiShF4I7RcerHQYzHTmBsS0/zjw 3cEfK0MonOlLUOq3RshNgXp6G5rkEdBxq0juENi/zu3l0/Ymtro=
    =UyUw
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)