Source: python-asyncssh
Version: 2.23.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for python-asyncssh.

CVE-2026-54591[0]:
| AsyncSSH is a Python package which provides an asynchronous client
| and server implementation of the SSHv2 protocol on top of the Python
| asyncio framework. Prior to 2.23.1, a malicious SSH server can write
| arbitrary files on the asyncssh SCP client's filesystem by sending
| filenames containing ../ traversal sequences because _parse_cd_args
| in scp.py returns server-provided names verbatim and _recv_files
| joins them to the destination path without enforcing the target
| directory boundary. This issue is fixed in version 2.23.1.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-54591
    https://www.cve.org/CVERecord?id=CVE-2026-54591
[1] https://github.com/ronf/asyncssh/security/advisories/GHSA-2wxc-x7rj-hg8f
[2] 
https://github.com/ronf/asyncssh/commit/d730803b8e4e94c20c7580d90f94d1e05f9f58de

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to