[ubuntu/trusty-security] openssh 1:6.6p1-2ubuntu2.12 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Thu Feb 7 17:33:49 UTC 2019
openssh (1:6.6p1-2ubuntu2.12) trusty-security; urgency=medium
* SECURITY UPDATE: access restrictions bypass in scp
- debian/patches/CVE-2018-20685.patch: disallow empty filenames
or ones that refer to the current directory in scp.c.
- CVE-2018-20685
* SECURITY UPDATE: scp client spoofing via object name
- debian/patches/CVE-2019-6109.patch: make sure the filenames match
the wildcard specified by the user, and add new flag to relax the new
restrictions in scp.c, scp.1.
- CVE-2019-6109
* SECURITY UPDATE: scp client missing received object name validation
- debian/patches/CVE-2019-6111-pre1.patch: backport snmprintf from
newer OpenSSH in Makefile.in, utf8.c, utf8.h, configure.ac.
- debian/patches/CVE-2019-6111-pre2.patch: update vis.h and vis.c from
newer OpenSSH.
- debian/patches/CVE-2019-6111-1.patch: sanitize scp filenames via
snmprintf in atomicio.c, progressmeter.c, progressmeter.h,
scp.c, sftp-client.c.
- debian/patches/CVE-2019-6111-2.patch: force progressmeter updates in
progressmeter.c, progressmeter.h, scp.c, sftp-client.c.
- CVE-2019-6111
Date: 2019-01-31 17:00:17.214332+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/openssh/1:6.6p1-2ubuntu2.12
-------------- next part --------------
Sorry, changesfile not available.
More information about the Trusty-changes
mailing list