Back to rssh PTS page

Accepted rssh 2.3.4-9 (source) into unstable



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 28 Jan 2019 21:03:59 -0800
Source: rssh
Architecture: source
Version: 2.3.4-9
Distribution: unstable
Urgency: high
Maintainer: Russ Allbery <rra@debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Closes: 919623
Changes:
 rssh (2.3.4-9) unstable; urgency=high
 .
   [ Russ Allbery ]
   * Validate the allowed scp command line and only permit the flags used
     in server mode and only a single argument, to attempt to prevent use
     of ssh options to run arbitrary code on the server.  This will break
     scp -3 to a system running rssh, which seems like an acceptable loss.
     (Closes: #919623, CVE-2019-1000018)
   * Tighten validation of the rsync command line to require --server be
     the first argument, which should prevent initiation of an outbound
     rsync command from the server, which in turn might allow execution of
     arbitrary code via ssh configuration similar to scp.
   * Add validation of the server command line after chroot when chroot is
     enabled.  Prior to this change, dangerous argument filtering was not
     done when chroot was configured, allowing remote code execution inside
     the chroot in some configurations via the previous two bugs and via
     the mechanisms in CVE-2012-2251 and CVE-2012-2252.
   * Document that the cvs server-side dangerous option filtering is
     probably insufficient and should not be considered secure.
   * Remove ancient upgrade support in debian/postinst.
   * Remove debian/source/options, which was forcing compression to xz (now
     the default).
   * Update to debhelper compatibility level V12.
   * Update standards version to 4.3.0 (no changes required).
 .
   [ Ondřej Nový ]
   * d/watch: Use https protocol
Checksums-Sha1:
 42eccc8a40da4bccb24eb1cae17e5f60b95cae52 1548 rssh_2.3.4-9.dsc
 ef0b4a667e16c3f09209dd6c049e5bed6e4f119a 29704 rssh_2.3.4-9.debian.tar.xz
Checksums-Sha256:
 59a60a8c4c703752afd349e56a5acf848f4e6a8ba9a7de14b25b8522a716711e 1548 rssh_2.3.4-9.dsc
 aae025b0d9b2d335ad140ecb872b97ec162cd26aae81aaf979d97478db9a4a24 29704 rssh_2.3.4-9.debian.tar.xz
Files:
 c7e597dcb58a210e377ce83771cce0d9 1548 net optional rssh_2.3.4-9.dsc
 11e4877e55f793e5b2efeb24ed9c5d49 29704 net optional rssh_2.3.4-9.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE1zk0tJZ0z1zNmsJ4fYAxXFc23nUFAlxP39EACgkQfYAxXFc2
3nV7vAf6ApcxS1NqfqqxzZklCcNbvmhAzZ0+8tMNvTQ5zRMUqoFg8wbpumrzy5ji
iET3HqYZk9WSq0UDiM90sMDFivW1GsPVms8B4G/bRlXuXJTACiWPrJIdesadb8w5
6czJp/LjSLP0iROa+9NzTngujaZwZE8NL8sNE7T+YhZnVI+C0/U7KLHJ11Ir/Mel
s8a4GQoD/8Rl9/bpHTxevtgKiQFkPttEI8CRYsIWLfGppPG7Y1hz3WcNN2Np5Fo/
8ofAvtapGTD0GtoYX8COYogLpkEwWcI8L25SC0Q/NZmeiCIx1w1EOFXjr1CxUCN9
Bm0bO3P3iI+w4TnOHlYKG4rKjWQ1UQ==
=GBQT
-----END PGP SIGNATURE-----