All, Today I released rssh-2.3.4, which fixes an old issue, and a new issue: On Tue, May 08, 2012 at 01:14:26PM -0500, Derek Martin wrote: > rssh is a shell for restricting SSH access to a machine to only scp, > sftp, or a small set of similar applications. > > http://www.pizzashack.org/rssh/ > > Henrik Erkkonen has discovered that, through clever manipulation of > environment variables on the ssh command line, it is possible to > circumvent rssh. As far as I can tell, there is no way to effect a > root compromise, except of course if the root account is the one > you're attempting to protect with rssh... This was CVE-2012-3478, for which I had originally only posted a patch to the rssh mailing list. It is now fixed in the new release. The new issue is CVE-2012-2252, which involves improper filtering of the rsync command line, when rsync support is configured. This may be somewhat of a non-issue for recent stock rssh installations, as stock rssh does not support newer rsync binaries which use -e to specify the rsync protocol; thus if you're using rssh with a recent istallation, rsync does not work for you anyway, and you therefore most likely have it disabled by config. Nevertheless, it is a legitimate security concern if you have rsync enabled in the configuration. This also is fixed in 2.3.4. This release also includes some mostly trivial updates for the build and a bit of minor code clean-up. For people using rssh packages from Debian, Red Hat, or one of their derivatives, a third vulnerability was recently discovered, assigned CVE-2012-2251. This issue exists only in a third-party patch to make rssh work with newer rsync binaries. Stock rssh *is not vulnerable* to this issue. However if you are relying on your vendor to package rssh, this likely affects you. Lastly, since the vendors are providing their own packages, and I'm no longer set up to build RPMs, I am no longer providing rssh in RPM form. Please be sure to update rssh to v2.3.4, either by downloading and compiling from the website, or by updating your vendor's packages. http://www.pizzashack.org/rssh/downloads.shtml Thank you. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D
Attachment:
pgpCCq_3bvPCq.pgp
Description: PGP signature