Thanks for the report! While I don't use or maintain the Ubuntu version of rssh, it looks like Ubuntu is importing the Debian security fixes, and this is indeed a regression in Debian as well. I'm working on a fix now, and checking with the Debian security team to confirm that it's worth a regression update. Presumably Ubuntu would then pull it in.
Please note that rssh is orphaned upstream and both upstream and I agree that its security model is not maintainable going forward, largely due to this sort of problem and the complexity of trying to analyze command lines for other programs that constantly change. The next stable release of Debian (and hence probably Ubuntu) will not contain the package, so you may want to start evaluating alternatives. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1815935 Title: Regression in 2.3.4-4+deb8u1build0.16.04.1 on scp command parsing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rssh/+bug/1815935/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
