Re: rssh security announcement

看板Bugtraq作者code.時間12年前 (2013/04/27 12:32)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串9/9 (看更多)

--UPT3ojh+0CqEDtpF Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable All, Today I released rssh-2.3.4, which fixes an old issue, and a new issue: On Tue, May 08, 2012 at 01:14:26PM -0500, Derek Martin wrote: > rssh is a shell for restricting SSH access to a machine to only scp, > sftp, or a small set of similar applications. =20 >=20 > http://www.pizzashack.org/rssh/ >=20 > Henrik Erkkonen has discovered that, through clever manipulation of > environment variables on the ssh command line, it is possible to > circumvent rssh. As far as I can tell, there is no way to effect a > root compromise, except of course if the root account is the one > you're attempting to protect with rssh... This was CVE-2012-3478, for which I had originally only posted a patch to the rssh mailing list. It is now fixed in the new release. The new issue is CVE-2012-2252, which involves improper filtering of the rsync command line, when rsync support is configured. This may be somewhat of a non-issue for recent stock rssh installations, as stock rssh does not support newer rsync binaries which use -e to specify the rsync protocol; thus if you're using rssh with a recent istallation, rsync does not work for you anyway, and you therefore most likely have it disabled by config. Nevertheless, it is a legitimate security concern if you have rsync enabled in the configuration. This also is fixed in 2.3.4. This release also includes some mostly trivial updates for the build and a bit of minor code clean-up. For people using rssh packages from Debian, Red Hat, or one of their derivatives, a third vulnerability was recently discovered, assigned CVE-2012-2251. This issue exists only in a third-party patch to make rssh work with newer rsync binaries. Stock rssh *is not vulnerable* to this issue. However if you are relying on your vendor to package rssh, this likely affects you.=20 Lastly, since the vendors are providing their own packages, and I'm no longer set up to build RPMs, I am no longer providing rssh in RPM form. Please be sure to update rssh to v2.3.4, either by downloading and compiling from the website, or by updating your vendor's packages. http://www.pizzashack.org/rssh/downloads.shtml Thank you. --=20 Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D --UPT3ojh+0CqEDtpF Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFQtVPrdjdlQoHP510RAkWJAKCVjsmkDFQYmi6fUeWCV37rDQJK9ACglEOF N/Ftm9WzinGppBARWPYjA6c= =/q98 -----END PGP SIGNATURE----- --UPT3ojh+0CqEDtpF--

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 code. 的文章

文章代碼(AID): #1HUrJ705 (Bugtraq)