[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1650-1] rssh security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : rssh
Version        : 2.3.4-4+deb8u1
CVE ID         : CVE-2019-1000018
Debian Bug     : 919623

The ESnet security team discovered a vulnerability in rssh, a restricted
shell that allows users to perform only scp, sftp, cvs, svnserve
(Subversion), rdist and/or rsync operations. Missing validation in the
scp support could result in the bypass of this restriction, allowing the
execution of arbitrary shell commands.

Please note that with the update applied, the "-3" option of scp can no
longer be used.

For Debian 8 "Jessie", this problem has been fixed in version
2.3.4-4+deb8u1.

We recommend that you upgrade your rssh packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlxR/LxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeS9ghAAhk1++/F0CtSIXUjY+VSqfQlJtHYFyvhk8Hby6eM1cAcihJEXzfrHnGVG
sj3MRp1evoRvGFvfurLtXl2GpfSZvTCHUe3XgoT4WJaCefcsjrZUvvujUPzpbKf5
FLsjgUnu44+1whFPdSCnyVXdGzbgtE4/6ILCu9Oo7bzIqWcdexJKAwNHwKTAJl3R
gfVW05Mx92HMyq6up1c0D9tgCGet8hgJo3j8nmISFilvZefa9AKsawLMbFUq8rNQ
16u18aNhsP3fcr+WuAvbqXpXn+ssHCJcsZZKDRQ0QvRekjlbMEPKuLyZCCkmN2TU
k7im1qA3zzfmw2O0US73r6Z41J1NsslM+YHSiIy+nPfPvHJHXrVXpIgssaqe3mkx
5+/tIPa4RBg6YvKyVpS5kCdu9ZjuE9C8p4zwXnHcpHNMc16iKIaSH/7t8Kxzxx0M
MvFgqZJ23cGfrtbJNUsyyzRrB+s8mpYM5bE9nk0y4Z7uLtJOImnq9ZeipGjkx61s
raz7lEqJrMeUtSHAn1tCC3y0CaiekC6zcAVvKaciqrPd+1l/AKDSMluRFT1m93t5
IJSz7D5gMmGnvZ0fdOMpM+ECLv8OF5TrYa2XadnvevWqes0qx3FZUblRG77Saja5
k9jdERvtFqMUVGyE67pEHXYOWl2K59EBmcJkjmnv5utQPcBD7HY=
=EAcn
-----END PGP SIGNATURE-----


Reply to: