rssh 2.3.4-9 source package in Debian

Changelog

rssh (2.3.4-9) unstable; urgency=high

  [ Russ Allbery ]
  * Validate the allowed scp command line and only permit the flags used
    in server mode and only a single argument, to attempt to prevent use
    of ssh options to run arbitrary code on the server.  This will break
    scp -3 to a system running rssh, which seems like an acceptable loss.
    (Closes: #919623, CVE-2019-1000018)
  * Tighten validation of the rsync command line to require --server be
    the first argument, which should prevent initiation of an outbound
    rsync command from the server, which in turn might allow execution of
    arbitrary code via ssh configuration similar to scp.
  * Add validation of the server command line after chroot when chroot is
    enabled.  Prior to this change, dangerous argument filtering was not
    done when chroot was configured, allowing remote code execution inside
    the chroot in some configurations via the previous two bugs and via
    the mechanisms in CVE-2012-2251 and CVE-2012-2252.
  * Document that the cvs server-side dangerous option filtering is
    probably insufficient and should not be considered secure.
  * Remove ancient upgrade support in debian/postinst.
  * Remove debian/source/options, which was forcing compression to xz (now
    the default).
  * Update to debhelper compatibility level V12.
  * Update standards version to 4.3.0 (no changes required).

  [ Ondřej Nový ]
  * d/watch: Use https protocol

 -- Russ Allbery <email address hidden>  Mon, 28 Jan 2019 21:03:59 -0800