[ubuntu/xenial-security] rssh 2.3.4-4+deb8u2build0.16.04.1 (Accepted)

Steve Beattie sbeattie at ubuntu.com
Fri Feb 8 00:27:20 UTC 2019


rssh (2.3.4-4+deb8u2build0.16.04.1) xenial-security; urgency=medium

  * fake sync from Debian

rssh (2.3.4-4+deb8u2) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Backport security fixes prepared by Debian's maintainer of rssh (rra).
  * Also reject rsync --daemon and --config command-line options, which
    can be used to run arbitrary commands.  Thanks, Nick Cleaton.
    (CVE-2019-3463)
  * Unset the HOME environment variable when running rsync to prevent popt
    (against which rsync is linked) from loading a ~/.popt configuration
    file, which can run arbitrary commands on the server or redefine
    command-line options to bypass argument checking.  Thanks, Nick
    Cleaton.  (CVE-2019-3464)
  * Do not stop checking the rsync command line at --, since this can be
    an argument to some other option and later arguments may still be
    interpreted as options.  In the few cases where one needs to rsync to
    files named things like --rsh, the client can use ./--rsh instead.
    Thanks, Nick Cleaton.

Date: 2019-02-07 22:34:08.501938+00:00
Changed-By: Steve Beattie <sbeattie at ubuntu.com>
Maintainer: Russ Allbery <rra at debian.org>
https://launchpad.net/ubuntu/+source/rssh/2.3.4-4+deb8u2build0.16.04.1
-------------- next part --------------
Sorry, changesfile not available.


More information about the Xenial-changes mailing list