* debian/patches:
+ Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
based Windows solution for Kerberos support), but newer libssh versions
with the CVE-2019-14889 also interpret paths as literal strings.
(LP: #1856795).
-- Mike Gabriel <email address hidden> Wed, 25 Dec 2019 21:11:41 +0100
This bug was fixed in the package x2goclient - 4.1.1.1- 2ubuntu0. 18.04.1
--------------- 1-2ubuntu0. 18.04.1) bionic; urgency=medium
x2goclient (4.1.1.
* debian/patches: regression- fix-CVE- 2019-14889. patch. In src/sshprocess.cpp:
+ Add libssh-
strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
based Windows solution for Kerberos support), but newer libssh versions
with the CVE-2019-14889 also interpret paths as literal strings.
(LP: #1856795).
-- Mike Gabriel <email address hidden> Wed, 25 Dec 2019 21:11:41 +0100