rssh 2.3.4-10 source package in Debian

Changelog

rssh (2.3.4-10) unstable; urgency=high

  * Also reject rsync --daemon and --config command-line options, which
    can be used to run arbitrary commands.  Thanks, Nick Cleaton.
    (CVE-2019-3463)
  * Unset the HOME environment variable when running rsync to prevent popt
    (against which rsync is linked) from loading a ~/.popt configuration
    file, which can run arbitrary commands on the server or redefine
    command-line options to bypass argument checking.  Thanks, Nick
    Cleaton.  (CVE-2019-3463)
  * Do not stop checking the rsync command line at --, since this can be
    an argument to some other option and later arguments may still be
    interpreted as options.  In the few cases where one needs to rsync to
    files named things like --rsh, the client can use ./--rsh instead.
    Thanks, Nick Cleaton.
  * Remove now-unused variables from the rsync validation patch.

 -- Russ Allbery <email address hidden>  Sat, 02 Feb 2019 10:59:47 -0800

Upload details

Uploaded by:
Russ Allbery
Uploaded to:
Sid
Original maintainer:
Russ Allbery
Architectures:
any
Section:
net
Urgency:
Very Urgent

See full publishing history Publishing

Series Pocket Published Component Section

Builds

Downloads

File Size SHA-256 Checksum
rssh_2.3.4-10.dsc 1.5 KiB 100519617bc5ebe7e9873af0f9fa360801ee0d75dcc8ec25a9583aec5d06d9f5
rssh_2.3.4.orig.tar.gz 110.7 KiB f30c6a760918a0ed39cf9e49a49a76cb309d7ef1c25a66e77a41e2b1d0b40cd9
rssh_2.3.4-10.debian.tar.xz 29.6 KiB 2c41e3c3905ae87249b0ad028b20e88a86d1bf4445e3be216ff87733221e1b5d

Available diffs

No changes file available.

Binary packages built by this source