rssh 2.3.4-8ubuntu0.2 source package in Ubuntu
Changelog
rssh (2.3.4-8ubuntu0.2) cosmic-security; urgency=medium * SECURITY UPDATE: Command injection - debian/patches/0009-Verify-scp-command-options.patch: Validate the allowed scp command line and only permit the flags used in server mode and only a single argument, to attempt to prevent use of ssh options to run arbitrary code on the server. This will break scp -3 to a system running rssh, which seems like an acceptable loss. (LP #1815935) - debian/patches/0007-Verify-rsync-command-options.patch: Tighten validation of the rsync command line to require --server be the first argument, which should prevent initiation of an outbound rsync command from the server, which in turn might allow execution of arbitrary code via ssh configuration similar to scp. Also reject rsync --daemon and --config command-line options, which can be used to run arbitrary commands. Thanks, Nick Cleaton. Do not stop checking the rsync command line at --, since this can be an argument to some other option and later arguments may still be interpreted as options. In the few cases where one needs to rsync to files named things like --rsh, the client can use ./--rsh instead. Thanks, Nick Cleaton. - debian/patches/0010-Check-command-line-after-chroot.patch: Unset the HOME environment variable when running rsync to prevent popt (against which rsync is linked) from loading a ~/.popt configuration file, which can run arbitrary commands on the server or redefine command-line options to bypass argument checking. Thanks, Nick Cleaton. - CVE-2019-1000018 - CVE-2019-3463 - CVE-2019-3464 -- Mike Salvatore <email address hidden> Wed, 10 Apr 2019 13:23:31 -0400
Upload details
- Uploaded by:
- Mike Salvatore
- Uploaded to:
- Cosmic
- Original maintainer:
- Ubuntu Developers
- Architectures:
- any
- Section:
- net
- Urgency:
- Medium Urgency
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
rssh_2.3.4.orig.tar.gz | 110.7 KiB | f30c6a760918a0ed39cf9e49a49a76cb309d7ef1c25a66e77a41e2b1d0b40cd9 |
rssh_2.3.4-8ubuntu0.2.debian.tar.xz | 29.1 KiB | ee2575dd75119e3bb3dfe5ecdbb2a0fe5cabb34ad8be108e0f33991489721522 |
rssh_2.3.4-8ubuntu0.2.dsc | 1.9 KiB | 8635ca70f0a00a3461b18ec8b97530b84f90ec06f67dfe2c6beecdf43623e3c7 |
Available diffs
Binary packages built by this source
- rssh: No summary available for rssh in ubuntu cosmic.
No description available for rssh in ubuntu cosmic.
- rssh-dbgsym: No summary available for rssh-dbgsym in ubuntu cosmic.
No description available for rssh-dbgsym in ubuntu cosmic.