Bug 880174 (CVE-2012-2251)
Summary: | CVE-2012-2251 rssh: bypass of rsync -e option filtering | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | jlieskov, jrusnack, paul-redhat, security-response-team, temp66 |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-05-08 17:39:36 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 877279, 880989 | ||
Bug Blocks: |
Description
Tomas Hoger
2012-11-26 12:33:35 UTC
Public now via Debian advisory: http://www.debian.org/security/2012/dsa-2578 The issue is mentioned in the rssh 2.3.4 release announcement as an issue that did not affect upstream rssh (see comment 0 for details): http://sourceforge.net/mailarchive/message.php?msg_id=30153369 Created rssh tracking bugs for this issue Affects: epel-6 [bug 880989] rssh-2.3.4-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. is this going to made available for the Centos 5 epository I ask because I'm stuck with C5.8 on a number of servers and need rssh. I did try rolling my own rssh package from the published source, but without the debian patch for 2.3.4 being applied, it breaks because the connecting rsync host issuing the -e.Lsf argument. thanks This issue did not affect CentOS 5 as explained in comment #0. However, other issues do (bug 880992 / bug 880177 and bug 820416 / bug 820414). EPEL package maintainer has not commented on any of the related bugs yet. If you're building from source, try rebuilding current Fedora SRPM (2.3.4-1): http://koji.fedoraproject.org/koji/packageinfo?packageID=6868 Other references: http://archives.neohapsis.com/archives/bugtraq/2012-11/0101.html http://www.securityfocus.com/bid/56708 http://secunia.com/advisories/51307 http://xforce.iss.net/xforce/xfdb/80334 rssh-2.3.4-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |