-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 30 Jan 2019 18:34:46 +0100
Source: rssh
Binary: rssh
Architecture: source amd64
Version: 2.3.4-4+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Russ Allbery <rra@debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
rssh - Restricted shell allowing scp, sftp, cvs, svn, rsync or rdist
Changes:
rssh (2.3.4-4+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Backport security fixes prepared by Debian's maintainer of rssh.
* Validate the allowed scp command line and only permit the flags used
in server mode and only a single argument, to attempt to prevent use
of ssh options to run arbitrary code on the server. This will break
scp -3 to a system running rssh, which seems like an acceptable loss.
(CVE-2019-1000018)
* Tighten validation of the rsync command line to require --server be
the first argument, which should prevent initiation of an outbound
rsync command from the server, which in turn might allow execution of
arbitrary code via ssh configuration similar to scp.
* Add validation of the server command line after chroot when chroot is
enabled. Prior to this change, dangerous argument filtering was not
done when chroot was configured, allowing remote code execution inside
the chroot in some configurations via the previous two bugs and via
the mechanisms in CVE-2012-2251 and CVE-2012-2252.
* Document that the cvs server-side dangerous option filtering is
probably insufficient and should not be considered secure.
Checksums-Sha1:
7aad9051e9d88dbc0d5aa6c651c3d53f071dfb6e 1986 rssh_2.3.4-4+deb8u1.dsc
e13ae1fdce4b0c89ef70f4695689139c8409e2e8 113315 rssh_2.3.4.orig.tar.gz
fd776aae14e97b865c122b9ada6b73be5a3a2f3e 28864 rssh_2.3.4-4+deb8u1.debian.tar.xz
6de2d548b31d39032d9e705f39671c2e4c4a4d6f 55404 rssh_2.3.4-4+deb8u1_amd64.deb
Checksums-Sha256:
2df136db1ad2d6b944e90becd74e215038558e67060fedab902d65bf212c65ae 1986 rssh_2.3.4-4+deb8u1.dsc
f30c6a760918a0ed39cf9e49a49a76cb309d7ef1c25a66e77a41e2b1d0b40cd9 113315 rssh_2.3.4.orig.tar.gz
61c5fcea70f4aa48d6e5029db9de939489c596bcbeb40ad5d53c4f75f76fcef9 28864 rssh_2.3.4-4+deb8u1.debian.tar.xz
7c49a550f3f9411f2c1624e52948d093915a24b281bc58de0ddc957d9ec13e77 55404 rssh_2.3.4-4+deb8u1_amd64.deb
Files:
5eb930c8d20b839badeaa021386e22df 1986 net optional rssh_2.3.4-4+deb8u1.dsc
5211f5fe206704f813a3cec61f487042 113315 net optional rssh_2.3.4.orig.tar.gz
0c6371b846d07c2c1be5504a55917748 28864 net optional rssh_2.3.4-4+deb8u1.debian.tar.xz
fbf5e413c2c9afbf073f6bce562bf96e 55404 net optional rssh_2.3.4-4+deb8u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlxR6RFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkrRkP/1mkeY76oteP9FOhgySeET+4Mh+4ZR3YR3oP
qk/cE5yuJCekRDwmvbZ1qhU0e2XEMM63KaNY6KAjR/sm8ybLAVdVDvEePeu7EfUz
790CuYiQna404EusbHIh/Sh2CZqLJjuq2NPoD3r0XyDKg8lHKb3XrExBItUK1UsB
DnziLPn5g7zIYGMBe4LbhV2nMXVVO3VFa5rJLhk5NyUTVVOVBwIStQqHF8uqP1yG
4nWZwPyHypw01uEa/DNjale7gvh7wag3pva/YmPwz5os6zdvx6YXvqJkWIaAy1gj
lRhu7q/c5wrKqDFF394Dv9S+GTFYUUG8u90SRY7bc8/I4wuVA7dFzV0JoZnI9X7R
QjWf7Gzx73coCXnHimW7CGkv5aLOBoUkmL2tXL8EhxOGx5j1KNxqpB+DMFrD/9+Y
2kEWatNUy5tuQRUYt9GJB0uEXqTwAy63EUoiebKAKRrEL40/dZlLF6N0orf/QmX8
+bB9yvyuoFb0I9085/Ka+O3h9Twn/wbjNesEG4OZ3a6HG9vEL7ujUzSJYX/0Wlvo
2O4pbXG8+Wy+vVEfXD5l04+hFkxeJqRsFOYVot3R4lT8RolhPZnfw95GMHtohZHf
nW0rwiouSGLwjxuMiYouAktPeeDb8LGUQuG24x2LkKojQyQTk1n3VQ+0TjpvsfQh
v53EPFgF
=TcwR
-----END PGP SIGNATURE-----
