Your message dated Fri, 08 Feb 2019 17:20:47 +0000 with message-id <e1gs9px-0005qf...@fasolo.debian.org> and subject line Bug#793412: fixed in openssh 1:7.9p1-6 has caused the Debian Bug report #793412, regarding openssh-client: scp can send arbitrary control characters / escape sequences to the terminal (CVE-2019-6109) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 793412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793412 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: openssh Severity: important Tags: upstream security According to [1] special crafted filenames containing control characters can cause scp to execute commands in the current shell. This works also on copying files from remote (potential untrusted) servers to local client. this works: remote: $ touch "ab`tput clear`cd" local: $ scp user@host:"/dir/ab*" . which clears the screen in jessie. Fedora has fixed [2] this bug already. [1]https://bugzilla.mindrot.org/show_bug.cgi?id=2434 [2]https://bugzilla.redhat.com/show_bug.cgi?id=1247204 -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-586 Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: openssh Source-Version: 1:7.9p1-6 We believe that the bug you reported is fixed in the latest version of openssh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 793...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Colin Watson <cjwat...@debian.org> (supplier of updated openssh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 08 Feb 2019 16:26:35 +0000 Source: openssh Architecture: source Version: 1:7.9p1-6 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSH Maintainers <debian-...@lists.debian.org> Changed-By: Colin Watson <cjwat...@debian.org> Closes: 793412 Changes: openssh (1:7.9p1-6) unstable; urgency=medium . * CVE-2019-6109: Apply upstream patches to sanitize scp filenames via snmprintf (closes: #793412). * CVE-2019-6111: Apply upstream patch to check in scp client that filenames sent during remote->local directory copies satisfy the wildcard specified by the user. Checksums-Sha1: 8a0859278489bc30467e5d3a1db277e6924c0d32 3161 openssh_7.9p1-6.dsc 2fbf5362760137bf86dcc2f90a1be0f5435adad4 168484 openssh_7.9p1-6.debian.tar.xz 824231605e269a083575f3b838fad43ea14fca56 15042 openssh_7.9p1-6_source.buildinfo Checksums-Sha256: a585e46dde9df2432bdf6b097f985734c4fc3392de75eebaab0319b80cf3b06a 3161 openssh_7.9p1-6.dsc b4c7de9e2d8fddfc55db8b4dc8b00fa32820a1896e217c4d83d9f86126441ba9 168484 openssh_7.9p1-6.debian.tar.xz f0465f1fd2609608b703d981e900c3f4a0cfd67dda5c134b2ff857ef046a880a 15042 openssh_7.9p1-6_source.buildinfo Files: cb6e439524381fc188f4614d33e0d26a 3161 net standard openssh_7.9p1-6.dsc feedabc6044b79debfbd1bd88d0bde81 168484 net standard openssh_7.9p1-6.debian.tar.xz b9190581b33f9bf02f2691f15b30daa2 15042 net standard openssh_7.9p1-6_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlxdsQUACgkQOTWH2X2G UAsOOQ/7BOsI9ua8UGuE1plzu+y4tKq9fErmUxTAhx9EEx1ClbYgd5a9yOIfrhEb w2HlxhfaWDsjKaO2hawywOo27Deepuz2J+cRtscD6LJQ5bc1fJFSrTMBDLQCOxGE JN4bcv8AVq1n/WV1rU54JZkYWaFiKHgNmMa4BHploJOSIlJ5qNSxoi4XNx3jMYOi gxPhXcXlFNmosA3DgKBD4faPhXd0THQ2gc1xgfdYgCK7srqvtj9QIflnV0gBFvHu FdE4HUslG9fR+DSNFoQ9rQBjYko1mK4COy/S6TzydJLFvpygPezhAlnJNZ7wEn1U pdo9qt9ABGkKjzkdU4fsujCxhJA9ijm5omdZnE5k9PgycJ3UFZJBELuF2Os24ofA GM6kuwtxUGxuCq+EZN+5qVqzDLb8M0dOL+GWd2PKClh56y23NeZX0k3Tapjqw23N pQO1EbuZ+Jvmfa1h+SAGnqr6j/XWByNqsQn6EKUhKCR8RyPDQSMORGGRc5+wy9Io xs8DCzHgzBN1+MTzm7ezBgmdMTsiSHWY3ieT7dxAX3/iEi/d1CrkKH4Xd1n2rTqa 4jXwfKCGwSe2U2wcRB8amcy0oPpYNlRcO/URoM2Mg/S3eicJCwGU2836Q4Nd4q96 7pfaFw+BOgMehj4XBR3Cku0gGJkTkehfP4p1CwKn5DbmJVk/5hc= =7J2i -----END PGP SIGNATURE-----
--- End Message ---
