8922 2006-01-24 16:32:58 +0300 OpenSSH scp Command Line Shell Command Injection 2006-11-24 15:17:19 +0300 1 1 4 Development Sisyphus openssh unstable all Linux CLOSED FIXED http://secunia.com/advisories/18579/ P2 critical --- 1 icesik glebfm glebfm ldv mike solo vt vvk qa-sisyphus oldest_to_newest 35053 0 icesik 2006-01-24 16:32:58 +0300 http://secunia.com/advisories/18579/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225 http://secunia.com/advisories/18595/ 35054 1 ldv 2006-01-24 16:51:55 +0300 scp как наследник rcp морально устарел, рекомендую переходить на sftp или rsync. Вот ответ, который дал Markus Friedl: "it's inherited from rcp, it's more or less the 'way it works'. if there is a simple way to fix it without breaking scp completely, then we can include it in a future release, but so far i consider this a minor problem." 36984 2 icesik 2006-03-25 15:31:38 +0300 Может тогда вынести scp в отдельный пакет с замечание "ни в кое случае не ставить"? 40284 3 icesik 2006-09-14 15:06:00 +0400 *** Bug 10001 has been marked as a duplicate of this bug. *** 40285 4 icesik 2006-09-14 15:06:31 +0400 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026 40288 5 ldv 2006-09-14 16:51:56 +0400 Раз кто-то не поленился сделать патч (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168167), я его посмотрю и приложу. 42459 6 mike 2006-11-24 13:05:43 +0300 * Tue Oct 03 2006 Dmitry V. Levin <ldv@altlinux.org> 3.6.1p2-alt8 - Backported upstream fixes for: + sshd connection consumption vulnerability (CVE-2004-2069: low, remote, active), + scp local arbitrary command execution vulnerability (CVE-2006-0225: high, local, active), ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + sshd signal handler race condition (CVE-2006-5051: none, remote, active), + CRC compensation attack detector DoS (CVE-2006-4924: low, remote, active), + client NULL dereference on protocol error (CVE-2006-4925: low, remote, passive). - Applied RH patch to plug several sftp memleaks. 42467 7 icesik 2006-11-24 15:16:52 +0300 Извиняюсь, забыл закрыть.