Your message dated Wed, 19 Jan 2005 05:17:37 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#284207: fixed in rssh 2.2.3-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 4 Dec 2004 10:21:00 +0000
>From [EMAIL PROTECTED] Sat Dec 04 02:21:00 2004
Return-path: <[EMAIL PROTECTED]>
Received: from albireo.enyo.de [212.9.189.169]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CaX2C-0007nF-00; Sat, 04 Dec 2004 02:21:00 -0800
Received: from deneb.enyo.de ([212.9.189.171])
by albireo.enyo.de with esmtp id 1CaX2B-0005En-DH
for [EMAIL PROTECTED]; Sat, 04 Dec 2004 11:20:59 +0100
Received: from fw by deneb.enyo.de with local (Exim 4.43)
id 1CaX2B-0000wL-6r
for [EMAIL PROTECTED]; Sat, 04 Dec 2004 11:20:59 +0100
Resent-To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Resent-From: Florian Weimer <[EMAIL PROTECTED]>
Resent-Date: Sat, 04 Dec 2004 11:20:59 +0100
Resent-Message-ID: <[EMAIL PROTECTED]>
X-From-Line: [EMAIL PROTECTED] Sat Dec 04 11:17:30 2004
Received: from fw by deneb.enyo.de with local (Exim 4.43)
id 1CaWyo-0000vz-A9; Sat, 04 Dec 2004 11:17:30 +0100
From: Florian Weimer <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: rssh: new upstream version fixes arbitrary command execution
X-Mailer: reportbug 3.2
Date: Sat, 04 Dec 2004 11:17:30 +0100
Message-Id: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Lines: 15
Resent-Date: Sat, 04 Dec 2004 11:20:59 +0100
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: rssh
Severity: grave
Tags: security upstream
Justification: user security hole
It has been discovered that all rssh versions permit arbitrary command
execution by (authenticated) users:
<http://www.securityfocus.com/archive/1/383046>
Apparently, a CVE/CAN name still has to be assigned.
rssh is unmaintained upstream. Please consider removing this package
from sarge because unmaintained software designed to enforce security
policies is typically a nightmare.
---------------------------------------
Received: (at 284207-close) by bugs.debian.org; 19 Jan 2005 10:23:04 +0000
>From [EMAIL PROTECTED] Wed Jan 19 02:23:04 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CrCzP-00011x-00; Wed, 19 Jan 2005 02:23:03 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1CrCu9-0000xs-00; Wed, 19 Jan 2005 05:17:37 -0500
From: Jesus Climent <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#284207: fixed in rssh 2.2.3-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 19 Jan 2005 05:17:37 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 3
Source: rssh
Source-Version: 2.2.3-1
We believe that the bug you reported is fixed in the latest version of
rssh, which is due to be installed in the Debian FTP archive:
rssh_2.2.3-1.diff.gz
to pool/main/r/rssh/rssh_2.2.3-1.diff.gz
rssh_2.2.3-1.dsc
to pool/main/r/rssh/rssh_2.2.3-1.dsc
rssh_2.2.3-1_i386.deb
to pool/main/r/rssh/rssh_2.2.3-1_i386.deb
rssh_2.2.3.orig.tar.gz
to pool/main/r/rssh/rssh_2.2.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jesus Climent <[EMAIL PROTECTED]> (supplier of updated rssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 19 Jan 2005 10:02:13 +0000
Source: rssh
Binary: rssh
Architecture: source i386
Version: 2.2.3-1
Distribution: unstable
Urgency: high
Maintainer: Jesus Climent <[EMAIL PROTECTED]>
Changed-By: Jesus Climent <[EMAIL PROTECTED]>
Description:
rssh - Restricted shell allowing only scp, sftp, cvs, rsync and/or rdist
Closes: 272899 276697 284207 287300 288828
Changes:
rssh (2.2.3-1) unstable; urgency=high
.
* New upstream release
* Security fix: CAN-2004-1161. Closes: #284207.
* Translations update:
- de.po: Jens Nachtigall (Closes: #276697)
- ja.po: Hideki Yamane (Closes: #272899)
- cs.po: Miroslav Kure (Closes: #287300)
- it.po: Luca Monducci (Closes: #288828)
* Urgency set to high due to the security fix and to get it into Sarge.
Files:
547fac87e09766c5eacb99c8c819fc41 590 net optional rssh_2.2.3-1.dsc
74f40a4fd5d2b097af34a817e21a33cf 107216 net optional rssh_2.2.3.orig.tar.gz
f54950f98465d04f01d125c1b19d5782 36128 net optional rssh_2.2.3-1.diff.gz
273908ea68d66f348e9d8f4970e59639 39970 net optional rssh_2.2.3-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB7jCEZvwdf4aUbWkRAkKHAJ0QhMm4bL1YvHZp/ZjtSARUOunV3wCg4jgC
y24zULnYOuyQwsUOUC81JeQ=
=+zve
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
