Bug#270770: ssh: CAN-2004-0175 "Directory traversal vulnerability in scp for OpenSSH before 3.4p1"
severity 270770 important
thanks
On Thu, Sep 09, 2004 at 09:28:03AM -0700, Matt Zimmerman wrote:
> The reason that you see this pattern is that:
>
> - The flaw is truly in the rcp protocol, and I don't think it can be fixed
> properly without incompatibly changing it
>
> - The effects were not judged serious enough to implement the various
> attempts at workarounds
>
> - The OpenBSD CVS commit you reference is a partial workaround, not a fix
>
> As far as I know, no vendors shipping OpenSSH have found this issue
> appropriate for a security update.
If the security team doesn't feel this is serious enough to issue a
security advisory, I don't see a reason to argue, so downgrading for
now.
Cheers,
--
Colin Watson [cjwatson@debian.org]
Reply to: