rssh 2.3.4-10 source package in Ubuntu
Changelog
rssh (2.3.4-10) unstable; urgency=high * Also reject rsync --daemon and --config command-line options, which can be used to run arbitrary commands. Thanks, Nick Cleaton. (CVE-2019-3463) * Unset the HOME environment variable when running rsync to prevent popt (against which rsync is linked) from loading a ~/.popt configuration file, which can run arbitrary commands on the server or redefine command-line options to bypass argument checking. Thanks, Nick Cleaton. (CVE-2019-3463) * Do not stop checking the rsync command line at --, since this can be an argument to some other option and later arguments may still be interpreted as options. In the few cases where one needs to rsync to files named things like --rsh, the client can use ./--rsh instead. Thanks, Nick Cleaton. * Remove now-unused variables from the rsync validation patch. -- Russ Allbery <email address hidden> Sat, 02 Feb 2019 10:59:47 -0800
Upload details
- Uploaded by:
- Russ Allbery
- Uploaded to:
- Sid
- Original maintainer:
- Russ Allbery
- Architectures:
- any
- Section:
- net
- Urgency:
- Very Urgent
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
rssh_2.3.4-10.dsc | 1.5 KiB | 100519617bc5ebe7e9873af0f9fa360801ee0d75dcc8ec25a9583aec5d06d9f5 |
rssh_2.3.4.orig.tar.gz | 110.7 KiB | f30c6a760918a0ed39cf9e49a49a76cb309d7ef1c25a66e77a41e2b1d0b40cd9 |
rssh_2.3.4-10.debian.tar.xz | 29.6 KiB | 2c41e3c3905ae87249b0ad028b20e88a86d1bf4445e3be216ff87733221e1b5d |
Available diffs
- diff from 2.3.4-9 to 2.3.4-10 (4.1 KiB)
No changes file available.
Binary packages built by this source
- rssh: No summary available for rssh in ubuntu disco.
No description available for rssh in ubuntu disco.
- rssh-dbgsym: No summary available for rssh-dbgsym in ubuntu disco.
No description available for rssh-dbgsym in ubuntu disco.