Re: rssh security announcement
Brought to you by:
xystrus
From: Russ A. <rr...@st...> - 2012-05-09 17:44:07
|
Derek Martin <co...@pi...> writes: > On Tue, May 08, 2012 at 08:50:11PM -0400, Nico Kadel-Garcia wrote: >> Is it still a problem with OpenSSH version 6, which was >> recently published? > Yes. The flaw is in how rssh parses command lines, irrespective of what > SSH implementation is used. I've been a bit vague about the details for > the moment; I'm hoping that the announcement will generate some interest > in taking over the maintenance of the project. I'd like to have some > sense of what will happen next before the full details are disclosed. > If someone wants to step forward, it would be good to give them a chance > to fix it before that happens. I can't realistically offer to take over upstream development, as I have too much else on my plate, but I plan on continuing to maintain the Debian package for rssh unless the security situation is untenable, and I'm happy to help at least with merging the current Debian patches and trying to review other changes. Particularly if the source ended up on Github or some other public Git hosting facility that's a little less annoying than Sourceforge, but I can deal with Sourceforge if that's what people really want to use. So if someone else is willing to step up, I can at least offer to have you not be alone. :) -- Russ Allbery (rr...@st...) <http://www.eyrie.org/~eagle/> |