Bug#270770: marked as done (ssh: CAN-2004-0175 "Directory traversal vulnerability in scp for OpenSSH before 3.4p1")
Your message dated Sat, 6 Dec 2008 23:04:18 +0900
with message-id <20081206230418.a8ec3310.henrich@debian.or.jp>
and subject line this bug is too old, so it does not affect Debian now.
has caused the Debian Bug report #270770,
regarding ssh: CAN-2004-0175 "Directory traversal vulnerability in scp for OpenSSH before 3.4p1"
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
270770: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=270770
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ssh: CAN-2004-0175 "Directory traversal vulnerability in scp for OpenSSH before 3.4p1"
- From: Hideki Yamane <henrich@samba.gr.jp>
- Date: Thu, 09 Sep 2004 16:11:34 +0900
- Message-id: <20040909071134.03F8245AC@mebius>
Package: ssh
Version: 1:3.8.1p1-8
Severity: critical
Tags: security,woody
Justification: causes serious data loss
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear ssh maintainer,
CAN-2004-0175 says "Directory traversal vulnerability in scp for OpenSSH
before 3.4p1" and woody's ssh package version is "1:3.4p1-1.woody.3".
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0175)
In RH bugzilla, pointed out fix code
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/scp.c.diff?r1=1.113&r2=1.114
and I've checked woody's ssh code, but not found such fixes.
So I think this vunlerability affects Debian.
- ---------------------------------------------------------------------------------
* I cannot find no information about it in openssh website. (Why?)
(http://www.openssh.com/security.html)
* Apple: APPLE-SA-2004-09-07: Security Update 2004-09-07
(http://lists.apple.com/mhonarc/security-announce/msg00058.html)
* CLSA-2004:831 openssh
(http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000831)
* In SuSE-SA:2004:009: Linux Kernel, as just "pending and workaroud"
* issue.
(http://www.suse.com/de/security/2004_09_kernel.html)
* Red Hat has not yet released SA, but releated bugzilla post is here.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120147
- ---------------------------------------------------------------------------------
Could you check it, please?
... and if it would not affect woody, please add this issue in
http://www.debian.org/security/nonvulns-woody .
thanks.
- --
Regards,
Hideki Yamane henrich @ samba.gr.jp/iijmio-mail.jp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBQAImIu0hy8THJksRAuQdAKCLpwn8lgkeyFCpbc27QKIMqfr16gCfTnCL
8MnXrQoxDwgyff2BxYDkKzU=
=8p0W
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
close 270770
This bug is too old, so it does not affect Debian, now.
--
Regards,
Hideki Yamane henrich @ debian.or.jp/iijmio-mail.jp
http://wiki.debian.org/HidekiYamane
--- End Message ---
Reply to: