Package: ftp.debian.org Severity: normal rssh has been orphaned upstream and has had a chain of security vulnerabilities in stable that indicate that its security model is fundamentally unsound. Attempting to do whitelist filtering of the arguments of various programs to protect against them running arbitrary code is proving too challenging in practice to safely maintain.
Upstream now recommends against further use of the program, and we should follow that advice. Please remove rssh from both unstable and testing so that it is not released with the next stable release of Debian. I'll continue to attempt to provide security support for the lifetime of the current Debian stable.
