Debian Package Tracker

From: Russ Allbery <rra@debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted rssh 2.3.4-10 (source) into unstable
Date: Sat, 02 Feb 2019 19:25:19 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 02 Feb 2019 10:59:47 -0800
Source: rssh
Architecture: source
Version: 2.3.4-10
Distribution: unstable
Urgency: high
Maintainer: Russ Allbery <rra@debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Changes:
 rssh (2.3.4-10) unstable; urgency=high
 .
   * Also reject rsync --daemon and --config command-line options, which
     can be used to run arbitrary commands.  Thanks, Nick Cleaton.
     (CVE-2019-3463)
   * Unset the HOME environment variable when running rsync to prevent popt
     (against which rsync is linked) from loading a ~/.popt configuration
     file, which can run arbitrary commands on the server or redefine
     command-line options to bypass argument checking.  Thanks, Nick
     Cleaton.  (CVE-2019-3463)
   * Do not stop checking the rsync command line at --, since this can be
     an argument to some other option and later arguments may still be
     interpreted as options.  In the few cases where one needs to rsync to
     files named things like --rsh, the client can use ./--rsh instead.
     Thanks, Nick Cleaton.
   * Remove now-unused variables from the rsync validation patch.
Checksums-Sha1:
 653927e9f563caa618bc79ceed492b020f741db2 1553 rssh_2.3.4-10.dsc
 a5e4f8cab40c8c7f9f454e2154ee4e7b38f8235a 30280 rssh_2.3.4-10.debian.tar.xz
Checksums-Sha256:
 100519617bc5ebe7e9873af0f9fa360801ee0d75dcc8ec25a9583aec5d06d9f5 1553 rssh_2.3.4-10.dsc
 2c41e3c3905ae87249b0ad028b20e88a86d1bf4445e3be216ff87733221e1b5d 30280 rssh_2.3.4-10.debian.tar.xz
Files:
 bfaf5c2799545bf54f8d7b0b68fb81a2 1553 net optional rssh_2.3.4-10.dsc
 3acfc99e2106da0343f47f9a71e3f2e1 30280 net optional rssh_2.3.4-10.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE1zk0tJZ0z1zNmsJ4fYAxXFc23nUFAlxV6SEACgkQfYAxXFc2
3nXCxwf/Qgn/v0ufU2/0n1QxOzjnZE5tju9a4ADrhSQzHyW0waSb/VXGHDtJMpgQ
vuO9QjnlfcDKwI3uQvq6v0KXDvReP/B54WBh6wDyS7SfL2+hzQvFZkc1GbmxpqNx
VhYw+8rNnhCHm3RlBATO4tssrk30KSWvy82F1hbC8GUxxA0UDrrYhmeKBQW2zh+r
XGmVGFcNU7obuXR6Uu97HXcDQGDRYBD5rZA3O3U4Vl/vzns385UJOcxNLrp8TgEW
tKSLfdzifqolLx/chFy1CcqWXpVdBt83WeYEDMEh8N6QBYW80Y1jvkKMA9FA7Jig
oCpbXrqZeGRiXBEQowdNuDv6xWH65Q==
=78u6
-----END PGP SIGNATURE-----
News for package rssh
