[SECURITY] [DLA 1660-1] rssh security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1660-1] rssh security update
From: Antoine Beaupré <anarcat@debian.org>
Date: Tue, 5 Feb 2019 16:28:24 -0500
Message-id: <[🔎] 20190205212824.GA9181@curie.anarc.at>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

Package        : rssh
Version        : 2.3.4-4+deb8u2
CVE ID         : CVE-2019-3463 CVE-2019-3464

More vulnerabilities were found by Nick Cleaton in the rssh code that
could lead to arbitrary code execution under certain circumstances.

CVE-2019-3463

    reject rsync --daemon and --config command-line options; arbitrary
    command execution

CVE-2019-3464

    prevent popt to load a ~/.popt configuration file, leading to
    arbitrary command execution

For Debian 8 "Jessie", these problems have been fixed in version
2.3.4-4+deb8u2.

We recommend that you upgrade your rssh packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

--

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 1661-1] mumble security update
Next by Date: [SECURITY] [DLA 1662-1] libthrift-java security update
Previous by thread: [SECURITY] [DLA 1661-1] mumble security update
Next by thread: [SECURITY] [DLA 1662-1] libthrift-java security update
Index(es):
- Date
- Thread