Re: rssh security announcement
Brought to you by:
xystrus
From: Russ A. <rr...@st...> - 2012-11-28 00:27:15
|
Derek Martin <co...@pi...> writes: > This was CVE-2012-3478, for which I had originally only posted a patch > to the rssh mailing list. It is now fixed in the new release. > The new issue is CVE-2012-2252, which involves improper filtering of the > rsync command line, when rsync support is configured. This may be > somewhat of a non-issue for recent stock rssh installations, as stock > rssh does not support newer rsync binaries which use -e to specify the > rsync protocol; thus if you're using rssh with a recent istallation, > rsync does not work for you anyway, and you therefore most likely have > it disabled by config. Nevertheless, it is a legitimate security > concern if you have rsync enabled in the configuration. This also is > fixed in 2.3.4. > This release also includes some mostly trivial updates for the build > and a bit of minor code clean-up. > For people using rssh packages from Debian, Red Hat, or one of their > derivatives, a third vulnerability was recently discovered, assigned > CVE-2012-2251. This issue exists only in a third-party patch to make > rssh work with newer rsync binaries. Stock rssh *is not vulnerable* to > this issue. However if you are relying on your vendor to package rssh, > this likely affects you. Attached is the updated version of the patch used in Debian to permit the rsync reuse of the -e option to convey protocol information, for those who may be applying this patch to their own builds. This has not yet been updated to be based on the 2.3.4 release and is still based on 2.3.3. I'll be updating the Debian packaging to the new 2.3.4 release in the coming months. -- Russ Allbery (rr...@st...) <http://www.eyrie.org/~eagle/> |