On Tue, Jan 24, 2006 at 11:22:23AM +0100, Martin Pitt wrote: > Package: ssh > Severity: important > Tags: security patch > > Hi! > > http://bugzilla.mindrot.org/show_bug.cgi?id=1094 describes a flaw in > scp: it expands shell characters and escapes twice which could lead to > unwanted shell code execution. It affects cases where scp is used to > transfer untrusted directories, but this could happen in automated > systems, cron jobs, etc. > > The reporter provided a patch, but it has not yet been acknowledged by > upstream.
It's not clear to me whether upstream will change this, because it's not possible to fix many scp issues without breaking protocol compatibility: http://www.openssh.org/faq.html#2.10 The official line is to use sftp instead. Therefore, unless and until upstream acknowledges the bug and decides what to do about it, I don't intend to change this in Debian in case I affect protocol compatibility with other systems. Users concerned about the security impact of this bug should migrate away from scp to sftp, rsync-over-ssh, or similar. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
