Bug#270770: ssh: CAN-2004-0175 "Directory traversal vulnerability in scp for OpenSSH before 3.4p1"

To: Hideki Yamane <henrich@samba.gr.jp>, 270770@bugs.debian.org, team@security.debian.org, control@bugs.debian.org
Subject: Bug#270770: ssh: CAN-2004-0175 "Directory traversal vulnerability in scp for OpenSSH before 3.4p1"
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 24 Oct 2004 18:43:52 +0100
Message-id: <[🔎] 20041024174352.GA21513@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 270770@bugs.debian.org
In-reply-to: <20040909162803.GX5330@alcor.net>
References: <20040909071134.03F8245AC@mebius> <20040909162803.GX5330@alcor.net>

severity 270770 important
thanks

On Thu, Sep 09, 2004 at 09:28:03AM -0700, Matt Zimmerman wrote:
> The reason that you see this pattern is that:
> 
> - The flaw is truly in the rcp protocol, and I don't think it can be fixed
>   properly without incompatibly changing it
> 
> - The effects were not judged serious enough to implement the various
>   attempts at workarounds
> 
> - The OpenBSD CVS commit you reference is a partial workaround, not a fix
> 
> As far as I know, no vendors shipping OpenSSH have found this issue
> appropriate for a security update.

If the security team doesn't feel this is serious enough to issue a
security advisory, I don't see a reason to argue, so downgrading for
now.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Prev by Date: Bug#275895: marked as done (Updated Danish po-debconf translation)
Next by Date: Bug#265339: marked as done (openssh: [INTL:fi] Debconf messages translated to Finnish)
Previous by thread: Accepted openssh 1:3.8.1p1-8.sarge.2 (powerpc source)
Next by thread: Bug#265339: marked as done (openssh: [INTL:fi] Debconf messages translated to Finnish)
Index(es):
- Date
- Thread