Accepted rssh 2.3.4-4+deb8u2 (source amd64) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 01 Feb 2019 20:28:01 -0800
Source: rssh
Binary: rssh
Architecture: source amd64
Version: 2.3.4-4+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Russ Allbery <rra@debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description:
rssh - Restricted shell allowing scp, sftp, cvs, svn, rsync or rdist
Changes:
rssh (2.3.4-4+deb8u2) jessie-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Backport security fixes prepared by Debian's maintainer of rssh (rra).
* Also reject rsync --daemon and --config command-line options, which
can be used to run arbitrary commands. Thanks, Nick Cleaton.
(CVE-2019-3463)
* Unset the HOME environment variable when running rsync to prevent popt
(against which rsync is linked) from loading a ~/.popt configuration
file, which can run arbitrary commands on the server or redefine
command-line options to bypass argument checking. Thanks, Nick
Cleaton. (CVE-2019-3464)
* Do not stop checking the rsync command line at --, since this can be
an argument to some other option and later arguments may still be
interpreted as options. In the few cases where one needs to rsync to
files named things like --rsh, the client can use ./--rsh instead.
Thanks, Nick Cleaton.
Checksums-Sha1:
a6f1d954221c76d4258b64df1101adee9e68a979 1490 rssh_2.3.4-4+deb8u2.dsc
87d8227e455ddc75a669e6f6ae7bcaa0ffa20f81 29200 rssh_2.3.4-4+deb8u2.debian.tar.xz
359749d4d3ec966091a7e28ac4f74a7ae0d326c2 55692 rssh_2.3.4-4+deb8u2_amd64.deb
Checksums-Sha256:
520c995d07c54501c3c5af86e33b0cfedc8d3d8d9d9c94667bc73c167eff6ab8 1490 rssh_2.3.4-4+deb8u2.dsc
f51671d4bf3e59c94191fa4c2bc72c2a9c1a336f7ec157538097cc0b47750658 29200 rssh_2.3.4-4+deb8u2.debian.tar.xz
75048359ea0b8742df70e881a88260cc32add643caa876af47447ecc8c7e0f0f 55692 rssh_2.3.4-4+deb8u2_amd64.deb
Files:
c268c5dd24aeb73874263e7b4f6b7247 1490 net optional rssh_2.3.4-4+deb8u2.dsc
69e617c1b9337f0e1490cb8a8a017d5e 29200 net optional rssh_2.3.4-4+deb8u2.debian.tar.xz
b6050922a81903104cdc1f7bba71a631 55692 net optional rssh_2.3.4-4+deb8u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAlxZ9UcACgkQPqHd3bJh
2XsFMggAmLyHvn6uzD2j0WmMZtjHWr2gP9ksGwWnw6D0YZFjw7LM43oJtb4zB9jH
Jx8S+aZtv3TaMfCT6Tgq3WLdVwcMjVStyNCeek0JHwMjuxpbc7K1fXA4R4DH7AAz
AP3DJABUolXiBjYP47v3KUsQOdUST4RW1Xoy/QwmqiWkjy1z9RpWceh2DDpdrmYC
PAjdZt2It/iT475qd3uBI+vAV4B/kUdkEacdbxtPoHTIAdp8c2RgaC7ZJ/AfluSl
cN+B331cc+DjF7RHqAg3zz/hq4D9FyISQSmoskAOi4JdETxiG8Fh/lAoI4sqZcvg
mO9aeEpSyxuwGZo8uoqTu6qejS7u5g==
=qIIH
-----END PGP SIGNATURE-----
Reply to: