-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 01 Feb 2019 20:28:01 -0800 Source: rssh Binary: rssh Architecture: source amd64 Version: 2.3.4-5+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Russ Allbery <rra@debian.org> Changed-By: Russ Allbery <rra@debian.org> Description: rssh - Restricted shell allowing scp, sftp, cvs, svn, rsync or rdist Changes: rssh (2.3.4-5+deb9u2) stretch-security; urgency=high . * Also reject rsync --daemon and --config command-line options, which can be used to run arbitrary commands. Thanks, Nick Cleaton. (CVE-2019-3463) * Unset the HOME environment variable when running rsync to prevent popt (against which rsync is linked) from loading a ~/.popt configuration file, which can run arbitrary commands on the server or redefine command-line options to bypass argument checking. Thanks, Nick Cleaton. (CVE-2019-3464) * Do not stop checking the rsync command line at --, since this can be an argument to some other option and later arguments may still be interpreted as options. In the few cases where one needs to rsync to files named things like --rsh, the client can use ./--rsh instead. Thanks, Nick Cleaton. Checksums-Sha1: f985cc92f6c50605cd7f2353e1ed7f6b377d0376 1514 rssh_2.3.4-5+deb9u2.dsc 08cf495a20bcacdd4d2589f80bf4f843e8cca5b8 30268 rssh_2.3.4-5+deb9u2.debian.tar.xz d3d8086a417299fb64c2a8d4ec14dda58659a2d9 50402 rssh-dbgsym_2.3.4-5+deb9u2_amd64.deb cfcb6e857b882f053e80deda8fca359c3649c17b 5735 rssh_2.3.4-5+deb9u2_amd64.buildinfo 05c63ae579aafd2243deb95f902045491ff7d486 55616 rssh_2.3.4-5+deb9u2_amd64.deb Checksums-Sha256: 38a001f8eb67c4831ed3c914602d59e09eda2ca90faa063a23ac6cd3f7a28e31 1514 rssh_2.3.4-5+deb9u2.dsc 200af1f7bb5460f4512fc543cb71ad6be02985223de4a6af2958949678b7f388 30268 rssh_2.3.4-5+deb9u2.debian.tar.xz 31b8ff8ec030c2886b44ef4dde665ef76b8a0ee627a501d0a67b21025ca0d763 50402 rssh-dbgsym_2.3.4-5+deb9u2_amd64.deb 9dded0213e632822d8912f170b59cb268d6d568189e74cd219306964e6711400 5735 rssh_2.3.4-5+deb9u2_amd64.buildinfo 1e4d7fc21eaf15b0e5517a62586bd21ce863f7d79ba2035c9e5d9d6db9ee430f 55616 rssh_2.3.4-5+deb9u2_amd64.deb Files: 4434f8b079d59c40b621a06156555ed5 1514 net optional rssh_2.3.4-5+deb9u2.dsc 2c63b630f3ad3db3bce562304ab0fe4d 30268 net optional rssh_2.3.4-5+deb9u2.debian.tar.xz e1bbb345404c515251790d9a80cfd278 50402 debug extra rssh-dbgsym_2.3.4-5+deb9u2_amd64.deb 0b247598fd20639f2254cf8c4bb267b1 5735 net optional rssh_2.3.4-5+deb9u2_amd64.buildinfo 4d8f666fa8c212715e5a4fb6fac90e3a 55616 net optional rssh_2.3.4-5+deb9u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE1zk0tJZ0z1zNmsJ4fYAxXFc23nUFAlxVHL4ACgkQfYAxXFc2 3nVukggAvPRhNNQIUCsaJvjLMfFxdh/LSU5N0OGNuQ9nevMf8dY3/eC+aXcRUVXa oyncPq1EW7NjH/coorv0l3CVl9jYUATSGn9nM+FpAjVfMgxRax0k8yTHkhIiIVwa GUwVQyTAJ1CzDqgT7f6MA4PWH3+iMtG+YG1z0EPK/slcEaYALiwppszcGM7woIbb k8U6uLXR3jw/Fm6psLbzEuvueSQxBeGsIgiMzoYVPmZAFmv2lH/moge5Xs/8+SG0 78jbeT5FI2Ib2M8SWHSOs5e5aPqk8kd5CAAerdkQYB9FH3CXgd0JyAary6+5s5B+ A+I+9e4CBdOk2A+mnDb2gCmHUxRUTQ== =Qe4V -----END PGP SIGNATURE-----