http://secunia.com/advisories/18579/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225 http://secunia.com/advisories/18595/
scp как наследник rcp морально устарел, рекомендую переходить на sftp или rsync. Вот ответ, который дал Markus Friedl: "it's inherited from rcp, it's more or less the 'way it works'. if there is a simple way to fix it without breaking scp completely, then we can include it in a future release, but so far i consider this a minor problem."
Может тогда вынести scp в отдельный пакет с замечание "ни в кое случае не ставить"?
*** Bug 10001 has been marked as a duplicate of this bug. ***
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026
Раз кто-то не поленился сделать патч (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168167), я его посмотрю и приложу.
* Tue Oct 03 2006 Dmitry V. Levin <ldv@altlinux.org> 3.6.1p2-alt8 - Backported upstream fixes for: + sshd connection consumption vulnerability (CVE-2004-2069: low, remote, active), + scp local arbitrary command execution vulnerability (CVE-2006-0225: high, local, active), ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + sshd signal handler race condition (CVE-2006-5051: none, remote, active), + CRC compensation attack detector DoS (CVE-2006-4924: low, remote, active), + client NULL dereference on protocol error (CVE-2006-4925: low, remote, passive). - Applied RH patch to plug several sftp memleaks.
Извиняюсь, забыл закрыть.
