Bug#919101: openssh: CVE-2018-20685: scp.c in the scp client allows remote SSH servers to bypass intended access restrictions
Source: openssh
Version: 1:7.9p1-4
Severity: important
Tags: patch security upstream
Control: found -1 1:7.4p1-10
Control: found -1 1:7.4p1-10+deb9u4
Hi,
The following vulnerability was published for openssh.
CVE-2018-20685[0]:
| In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to
| bypass intended access restrictions via the filename of . or an empty
| filename.
More information are found in [1], where upstream fixed it in [2].
There are related issues described in [1] which I explicitly do not
track in this bug as they are yet not addressed upstream (and did not
want to mix report). They are described in [1] as issues #2, #3 and #4
and got own CVEs (CVE-2019-6109, CVE-2019-6110, CVE-2019-6111). Not
sure if upstream intends to adress those as well.
The described vulnerabilities would require that a victim accepts the
wrong host fingerpring though of a man-in-the mittle attacker server.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20685
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20685
[1] https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
[2] https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply to: