Date: Fri, 03 Dec 2004 08:22:26 +0900 (JST) From: Hideyuki KURASHINA <rushani@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org Cc: security@FreeBSD.org Subject: Re: ports/74633: [Maintainer update] shells/scponly: Update to 4.0 (security vulnerability fixed in this version) Message-ID: <20041203.082226.98502483.rushani@FreeBSD.org> In-Reply-To: <200412022250.iB2Mo7Ds030223@freefall.freebsd.org> References: <20041203.074028.21879762.rushani@FreeBSD.org> <200412022250.iB2Mo7Ds030223@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, > >Category: ports > >Responsible: freebsd-ports-bugs > >Synopsis: [Maintainer update] shells/scponly: Update to 4.0 (security vulnerability fixed in this version) > >Arrival-Date: Thu Dec 02 22:50:07 GMT 2004 I made a patch for this issue. Please consider applying following one to ports/security/vuxml/vuln.xml. Any improvements are welcome including words/grammer corrections. Regards, -- rushani --- vuln.xml.orig Fri Dec 3 08:13:10 2004 +++ vuln.xml Fri Dec 3 08:14:30 2004 @@ -32,6 +32,39 @@ --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="f11b219a-44b6-11d9-ae2f-021106004fd6"> + <topic>rssh & scponly -- arbitrary command execution</topic> + <affects> + <package> + <name>rssh</name> + <range><le>2.2.2</le></range> + </package> + <package> + <name>scponly</name> + <range><lt>4.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Jason Wies identified both rssh & scponly has a vulnerability + that allows arbitrary command execution. He reports:</p> + <blockquote cite="http://marc.theaimsgroup.com/?l=bugtraq&m=110202047507273">; + <p>The problem is compounded when you recognize that the main use of rssh and + scponly is to allow file transfers, which in turn allows a malicious user to + transfer and execute entire custom scripts on the remote machine.</p> + </blockquote> + </body> + </description> + <references> + <freebsdpr>ports/74633</freebsdpr> + <mlist msgid="20041202135143.GA7105@xc.net">http://marc.theaimsgroup.com/?l=bugtraq&m=110202047507273</mlist>; + </references> + <dates> + <discovery>2004-11-28</discovery> + <entry>2004-12-02</entry> + </dates> + </vuln> + <vuln vid="2b4d5288-447e-11d9-9ebb-000854d03344"> <topic>rockdodger -- buffer overflows</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041203.082226.98502483.rushani>