rssh 2.3.4-10 source package in Debian
Changelog
rssh (2.3.4-10) unstable; urgency=high
* Also reject rsync --daemon and --config command-line options, which
can be used to run arbitrary commands. Thanks, Nick Cleaton.
(CVE-2019-3463)
* Unset the HOME environment variable when running rsync to prevent popt
(against which rsync is linked) from loading a ~/.popt configuration
file, which can run arbitrary commands on the server or redefine
command-line options to bypass argument checking. Thanks, Nick
Cleaton. (CVE-2019-3463)
* Do not stop checking the rsync command line at --, since this can be
an argument to some other option and later arguments may still be
interpreted as options. In the few cases where one needs to rsync to
files named things like --rsh, the client can use ./--rsh instead.
Thanks, Nick Cleaton.
* Remove now-unused variables from the rsync validation patch.
-- Russ Allbery <email address hidden> Sat, 02 Feb 2019 10:59:47 -0800
Upload details
- Uploaded by:
- Russ Allbery
- Uploaded to:
- Sid
- Original maintainer:
- Russ Allbery
- Architectures:
- any
- Section:
- net
- Urgency:
- Very Urgent
See full publishing history Publishing
| Series | Published | Component | Section |
|---|
Builds
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| rssh_2.3.4-10.dsc | 1.5 KiB | 100519617bc5ebe7e9873af0f9fa360801ee0d75dcc8ec25a9583aec5d06d9f5 |
| rssh_2.3.4.orig.tar.gz | 110.7 KiB | f30c6a760918a0ed39cf9e49a49a76cb309d7ef1c25a66e77a41e2b1d0b40cd9 |
| rssh_2.3.4-10.debian.tar.xz | 29.6 KiB | 2c41e3c3905ae87249b0ad028b20e88a86d1bf4445e3be216ff87733221e1b5d |
Available diffs
- diff from 2.3.4-9 to 2.3.4-10 (4.1 KiB)
No changes file available.
