Your message dated Fri, 21 Apr 2006 21:17:06 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#346322: fixed in rssh 2.3.2-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: rssh
Version: 2.3.0-1
Severity: grave
Tags: security patch
Justification: renders package unusable
Due to missing curly braces in util.c, if rssh gets as far as checking
to see if the issued command was CVS, the check will always succeed.
Furthermore, this failure can be exploited to pass -e options to CVS,
since the command invoked will actually be /usr/bin/cvs and the security
check for -e options will be bypassed.
This breaks all use of rsync and rdist since /usr/bin/cvs is actually
invoked instead of those programs. It also bypasses all security
checking from rssh.conf if the check for what program to run gets that
far.
I've confirmed that the attached trivial patch fixes the problem.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Versions of packages rssh depends on:
ii debconf [debconf-2.0] 1.4.66 Debian configuration management sy
ii openssh-server 1:4.2p1-5 Secure shell server, an rshd repla
rssh recommends no packages.
-- debconf information:
* rssh/secnote:
rssh/update-10:
rssh/update-config-pre-2.2:
* rssh/chroot_helper_setuid: false
--- End Message ---
--- Begin Message ---
Source: rssh
Source-Version: 2.3.2-1
We believe that the bug you reported is fixed in the latest version of
rssh, which is due to be installed in the Debian FTP archive:
rssh_2.3.2-1.diff.gz
to pool/main/r/rssh/rssh_2.3.2-1.diff.gz
rssh_2.3.2-1.dsc
to pool/main/r/rssh/rssh_2.3.2-1.dsc
rssh_2.3.2-1_i386.deb
to pool/main/r/rssh/rssh_2.3.2-1_i386.deb
rssh_2.3.2.orig.tar.gz
to pool/main/r/rssh/rssh_2.3.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <[EMAIL PROTECTED]> (supplier of updated rssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 21 Apr 2006 20:45:25 -0700
Source: rssh
Binary: rssh
Architecture: source i386
Version: 2.3.2-1
Distribution: unstable
Urgency: low
Maintainer: Jesus Climent <[EMAIL PROTECTED]>
Changed-By: Russ Allbery <[EMAIL PROTECTED]>
Description:
rssh - Restricted shell allowing only scp, sftp, cvs, rsync and/or rdist
Closes: 333923 335384 335475 339531 341412 346322 355935 357715
Changes:
rssh (2.3.2-1) unstable; urgency=low
.
* New co-maintainer.
* New upstream release.
- Incorporates fixes from NMU. (Closes: #346322, #355935, #357715)
- Incorporates missing va_end also fixed in NMU. (Closes: #339531)
* Don't compress example scripts. (Closes: #333923)
* Mention chroot and jail in the rssh description. (Closes: #335475)
* Add libnss_compat* to the chroot script. (Closes: #335384)
* Drop the ssh-krb5 alternative; it doesn't use the right sftp-server
path. Add Suggests pointing to the other supported commands.
* Drop the configuration caution from the package description; it's in
the man page and the long description isn't supposed to include
configuration information for the package.
* Rework README.Debian a little to point to the rssh man page instead of
SECURITY (upstream moved the security notes there) and emphasize
reading the documentation before using the package.
* Update logcheck rules.
* debian/rules and debian/control cleanup.
- Switch to quilt for patches. It works essentially the same as the
script the package was using but is more standard and is the current
recommended tool.
- Run dh_shlibdeps to pick up proper dependency information.
- Get the debconf dependency from debhelper.
- Use debian/compat instead of setting DH_COMPAT.
- Use dh_installman instead of the deprecated dh_installmanpages.
- Remove duplicate rssh.docs configuration file.
- Don't install config.{guess,sub}; configure doesn't use them.
- Rename NEWS.Debian to NEWS so that debhelper installs it.
- Install logcheck rules with debhelper.
- Simplify unused rules and remove some boilerplate.
* Translation updates.
- Swedish, thanks Daniel Nylander. (Closes: #341412)
Files:
ad20c46e6ce646bb7e7d471519403d44 635 net optional rssh_2.3.2-1.dsc
65712f2c06ff5fc6fc783bc8c2e4e1ba 113959 net optional rssh_2.3.2.orig.tar.gz
5f3d1d236ffaa0fe5926ea5983344f73 15382 net optional rssh_2.3.2-1.diff.gz
dca5777ff89837e8a14e8d56e1b33e81 49808 net optional rssh_2.3.2-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFESae3+YXjQAr8dHYRAtCfAKCLUB1PwnhPS6B8XeknryAbpKm8sQCfe8MT
Wq78oTKRT8qk+FhHfUK1kFU=
=bwdU
-----END PGP SIGNATURE-----
--- End Message ---
