Bug 8922 - OpenSSH scp Command Line Shell Command Injection
: OpenSSH scp Command Line Shell Command Injection
Status: CLOSED FIXED
: Sisyphus
(All bugs in Sisyphus/openssh)
: unstable
: all Linux
: P2 critical
Assigned To:
:
: http://secunia.com/advisories/18579/
:
:
:
  Show dependency tree
 
Reported: 2006-01-24 16:32 by
Modified: 2006-11-24 15:17 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


------- Comment #1 From 2006-01-24 16:51:55 -------
scp как наследник rcp морально устарел, рекомендую переходить на sftp или
rsync.

Вот ответ, который дал Markus Friedl:
"it's inherited from rcp, it's more or less the 'way it works'. if there is a
simple way to fix it without breaking scp completely, then we can include it in
a future release, but so far i consider this a minor problem."
------- Comment #2 From 2006-03-25 15:31:38 -------
Может тогда вынести scp в отдельный пакет с замечание "ни в кое случае не
ставить"?
------- Comment #3 From 2006-09-14 15:06:00 -------
*** Bug 10001 has been marked as a duplicate of this bug. ***
------- Comment #4 From 2006-09-14 15:06:31 -------
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026
------- Comment #5 From 2006-09-14 16:51:56 -------
Раз кто-то не поленился сделать патч
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168167),
я его посмотрю и приложу.
------- Comment #6 From 2006-11-24 13:05:43 -------
* Tue Oct 03 2006 Dmitry V. Levin <ldv@altlinux.org> 3.6.1p2-alt8
- Backported upstream fixes for:
  + sshd connection consumption vulnerability
    (CVE-2004-2069: low, remote, active),
  + scp local arbitrary command execution vulnerability
    (CVE-2006-0225: high, local, active),
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  + sshd signal handler race condition
    (CVE-2006-5051: none, remote, active),
  + CRC compensation attack detector DoS
    (CVE-2006-4924: low, remote, active),
  + client NULL dereference on protocol error
    (CVE-2006-4925: low, remote, passive).
- Applied RH patch to plug several sftp memleaks.
------- Comment #7 From 2006-11-24 15:16:52 -------
Извиняюсь, забыл закрыть.