Your message dated Wed, 28 Dec 2005 08:02:06 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#344395: fixed in rssh 2.3.0-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 22 Dec 2005 12:13:41 +0000
>From [EMAIL PROTECTED] Thu Dec 22 04:13:41 2005
Return-path: <[EMAIL PROTECTED]>
Received: from castle.dna.fi ([83.143.58.3] ident=qmailr)
by spohr.debian.org with smtp (Exim 4.50)
id 1EpPKH-0000uq-Ae
for [EMAIL PROTECTED]; Thu, 22 Dec 2005 04:13:41 -0800
Received: (qmail 8303 invoked from network); 22 Dec 2005 14:13:37 +0200
Received: from unknown (HELO chamber.dna.fi) (83.143.58.6)
by castle.dna.fi with SMTP; 22 Dec 2005 14:13:37 +0200
Received: from wizard by chamber.dna.fi with local (Exim 4.52)
id 1EpPKD-0000Il-QK
for [EMAIL PROTECTED]; Thu, 22 Dec 2005 14:13:37 +0200
Date: Thu, 22 Dec 2005 14:13:37 +0200
From: Mikko =?iso-8859-1?Q?H=E4nninen?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Root compromise bug if rssh_chroot_helper is installed suid
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.3.13i
Organization: None
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: rssh
Version: 2.2.3-1
Severity: grave
Tags: security
>From the rssh website, http://www.pizzashack.org/rssh/
Important Security Notice:
Max Vozeler has reported a problem whereby rssh can allow users who have
shell access to systems where rssh is installed (and rssh_chroot_helper
is installed SUID) to gain root access to the system, due to the
ability to chroot to arbitrary locations. There are a lot of potentially
mitigating factors, but to be safe you should upgrade immediately. This
bug affects all versions of rssh from v2.0.0 to v2.2.3, so please
upgrade now!
I believe this affects the Debian package, since I could not find any
documentation on this issue being fixed in the current stable verion.
A new version, 2.3.0 is available upstream to fix this issue. I believe
it will also fix bug #339531.
--
Mikko Hänninen <[EMAIL PROTECTED]>
***** Printed with 100% recycled electrons. *****
---------------------------------------
Received: (at 344395-close) by bugs.debian.org; 28 Dec 2005 16:11:54 +0000
>From [EMAIL PROTECTED] Wed Dec 28 08:11:54 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1Erdkc-00088s-UY; Wed, 28 Dec 2005 08:02:06 -0800
From: Jesus Climent <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.65 $
Subject: Bug#344395: fixed in rssh 2.3.0-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 28 Dec 2005 08:02:06 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: rssh
Source-Version: 2.3.0-1
We believe that the bug you reported is fixed in the latest version of
rssh, which is due to be installed in the Debian FTP archive:
rssh_2.3.0-1.diff.gz
to pool/main/r/rssh/rssh_2.3.0-1.diff.gz
rssh_2.3.0-1.dsc
to pool/main/r/rssh/rssh_2.3.0-1.dsc
rssh_2.3.0-1_powerpc.deb
to pool/main/r/rssh/rssh_2.3.0-1_powerpc.deb
rssh_2.3.0.orig.tar.gz
to pool/main/r/rssh/rssh_2.3.0.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jesus Climent <[EMAIL PROTECTED]> (supplier of updated rssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 19 Dec 2005 20:00:02 +0200
Source: rssh
Binary: rssh
Architecture: source powerpc
Version: 2.3.0-1
Distribution: unstable
Urgency: high
Maintainer: Jesus Climent <[EMAIL PROTECTED]>
Changed-By: Jesus Climent <[EMAIL PROTECTED]>
Description:
rssh - Restricted shell allowing only scp, sftp, cvs, rsync and/or rdist
Closes: 344395 344424
Changes:
rssh (2.3.0-1) unstable; urgency=high
.
* New upstream release.
* This package is a security update:
- closes CVE-2005-3345.
- Closes: #344424, #344395
Files:
43616b7c0360063d50654b074b0e69ae 592 net optional rssh_2.3.0-1.dsc
4badd1c95bf9b9507e6642598e809dd5 113701 net optional rssh_2.3.0.orig.tar.gz
7090f32e81cdf815e9311772dd1ba1c1 13888 net optional rssh_2.3.0-1.diff.gz
b5d9a545abd38350759d017924e1b2a5 48004 net optional rssh_2.3.0-1_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDqzQrZvwdf4aUbWkRAp6wAKDbOBmJcIBKnkkc7N0y6ipQkNOcZACg7AFi
DA5h7ggZi+qz371+OSsRWRs=
=ETnF
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
