[ubuntu/cosmic-security] rssh 2.3.4-8ubuntu0.2 (Accepted)

Mike Salvatore mike.salvatore at canonical.com
Thu Apr 11 18:02:46 UTC 2019


rssh (2.3.4-8ubuntu0.2) cosmic-security; urgency=medium

  * SECURITY UPDATE: Command injection
    - debian/patches/0009-Verify-scp-command-options.patch: Validate
      the allowed scp command line and only permit the flags used in
      server mode and only a single argument, to attempt to prevent use
      of ssh options to run arbitrary code on the server.  This will
      break scp -3 to a system running rssh, which seems like an
      acceptable loss. (LP #1815935)
    - debian/patches/0007-Verify-rsync-command-options.patch: Tighten
      validation of the rsync command line to require --server be the
      first argument, which should prevent initiation of an outbound rsync
      command from the server, which in turn might allow execution of
      arbitrary code via ssh configuration similar to scp.

      Also reject rsync --daemon and --config command-line options, which
      can be used to run arbitrary commands.  Thanks, Nick Cleaton.

      Do not stop checking the rsync command line at --, since this can
      be an argument to some other option and later arguments may still
      be interpreted as options.  In the few cases where one needs to
      rsync to files named things like --rsh, the client can use ./--rsh
      instead.  Thanks, Nick Cleaton.
    - debian/patches/0010-Check-command-line-after-chroot.patch: Unset
      the HOME environment variable when running rsync to prevent popt
      (against which rsync is linked) from loading a ~/.popt
      configuration file, which can run arbitrary commands on the server
      or redefine command-line options to bypass argument checking.
      Thanks, Nick Cleaton.
    - CVE-2019-1000018
    - CVE-2019-3463
    - CVE-2019-3464

Date: 2019-04-11 17:27:27.481516+00:00
Changed-By: Mike Salvatore <mike.salvatore at canonical.com>
https://launchpad.net/ubuntu/+source/rssh/2.3.4-8ubuntu0.2
-------------- next part --------------
Sorry, changesfile not available.


More information about the Cosmic-changes mailing list