Re: [PATCH] Add 2010, 2012 Security notices to SECURITY
Brought to you by:
xystrus
Menu
▾
▴
Re: [PATCH] Add 2010, 2012 Security notices to SECURITY
|
From: Derek M. <co...@pi...> - 2021-01-22 05:09:02
|
Hi Spencer, As of January 28 of last year I announced that rssh is no longer maintained. As Russ says, it's just not able to do its job effectively for a host of reasons. I guess I neglected to update the web site... I should do that soon. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D On Sat, Jan 16, 2021 at 09:50:50PM -0800, Spenser Truex wrote: > From website > http://pizzashack.org/rssh/security.shtml > --- > SECURITY | 16 ++++++++++++++-- > 1 file changed, 14 insertions(+), 2 deletions(-) > > diff --git a/SECURITY b/SECURITY > index 98c1e43..aede2e8 100644 > --- a/SECURITY > +++ b/SECURITY > @@ -8,0 +9,13 @@ have affected rssh since I started developing it. > +Nov 27, 2012 > +A couple of issues have been discovered with command line parsing and validation, which allow rssh to be bypassed. > + > + CVE-2012-3478: Improper filtering of environment variables > + CVE-2012-2252: Improper filtering of rsync command line > + > +August 1, 2010 > +Almost 5 years without a legitimate security issue reported. > + > +John Barber reported a problem where, if the system administrator misconfigures rssh by providing two few access bits in the configuration file, the user will be given default permissions (scp) to the entire system, potentially circumventing any configured chroot. Fixing this required a behavior change: In the past, using rssh without a config file would give all users default access to use scp on an unchrooted system. In order to correct the reported bug, this feature has been eliminated, and you must now have a valid configuration file. If no config file exists, all users will be locked out. > + > +Maarten van der Schrieck noticed a bug where, under conditions which are too far-fetched to describe, the rssh_chroot_helper could crash due to calling fgets with a null pointer. This can not occur with a normal, proper installation of rssh. The code path that causes this can only be reached if the system administrator deliberately installs rssh improperly, and the hoops through which one must jump to get it to occur are substantial, so the security impact here is basically nil. But it is a legitimate bug, so I fixed it nonetheless. > + > @@ -115 +128 @@ The 2.2.0 release of rssh fixed the problem in question, but was > -mistakenly released missing some code for parsing per-user options. > +mistakenly released missing some code for parsing per-user options. > @@ -198 +210,0 @@ with chroot jails. > - > -- > 2.30.0 > > -- > 7E7B 2078 A241 3205 F469 3B21 0AD4 8D58 F9FB DDC6 > Spenser Truex https://equwal.com > _______________________________________________ > rssh-discuss mailing list > rss...@li... > https://lists.sourceforge.net/lists/listinfo/rssh-discuss |