[ubuntu/trusty-security] rssh 2.3.4-4+deb8u2build0.14.04.1 (Accepted)
Steve Beattie
sbeattie at ubuntu.com
Fri Feb 8 00:27:19 UTC 2019
rssh (2.3.4-4+deb8u2build0.14.04.1) trusty-security; urgency=medium
* fake sync from Debian
rssh (2.3.4-4+deb8u2) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
* Backport security fixes prepared by Debian's maintainer of rssh (rra).
* Also reject rsync --daemon and --config command-line options, which
can be used to run arbitrary commands. Thanks, Nick Cleaton.
(CVE-2019-3463)
* Unset the HOME environment variable when running rsync to prevent popt
(against which rsync is linked) from loading a ~/.popt configuration
file, which can run arbitrary commands on the server or redefine
command-line options to bypass argument checking. Thanks, Nick
Cleaton. (CVE-2019-3464)
* Do not stop checking the rsync command line at --, since this can be
an argument to some other option and later arguments may still be
interpreted as options. In the few cases where one needs to rsync to
files named things like --rsh, the client can use ./--rsh instead.
Thanks, Nick Cleaton.
Date: 2019-02-07 22:29:12.827048+00:00
Changed-By: Steve Beattie <sbeattie at ubuntu.com>
Maintainer: Russ Allbery <rra at debian.org>
https://launchpad.net/ubuntu/+source/rssh/2.3.4-4+deb8u2build0.14.04.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Trusty-changes
mailing list