Your message dated Tue, 02 Jun 2026 06:04:43 +0000
with message-id <[email protected]>
and subject line Bug#1138293: fixed in sshfs-fuse 3.7.3-1.2
has caused the Debian Bug report #1138293,
regarding sshfs-fuse: CVE-2026-47187 CVE-2026-48711
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138293: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138293
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: sshfs-fuse
Version: 3.7.3-1.1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for sshfs-fuse.
CVE-2026-47187[0]:
| Symlink escape - rogue SFTP server -> local file read/write
CVE-2026-48711[1]:
| ssh argument injection via bracketed mount source
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-47187
https://www.cve.org/CVERecord?id=CVE-2026-47187
[1] https://security-tracker.debian.org/tracker/CVE-2026-48711
https://www.cve.org/CVERecord?id=CVE-2026-48711
[2] https://www.openwall.com/lists/oss-security/2026/05/30/3
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sshfs-fuse
Source-Version: 3.7.3-1.2
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
sshfs-fuse, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated sshfs-fuse
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 May 2026 17:20:39 +0200
Source: sshfs-fuse
Architecture: source
Version: 3.7.3-1.2
Distribution: unstable
Urgency: high
Maintainer: Bartosz Fenski <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1138293
Changes:
sshfs-fuse (3.7.3-1.2) unstable; urgency=high
.
* Non-maintainer upload.
* add contain_symlinks option to prevent symlink escape attacks
(CVE-2026-47187) (Closes: #1138293)
* reject hostname option injection via bracketed mount source
(CVE-2026-48711)
(Closes: #1138293)
Checksums-Sha1:
bb65bf4dbae8012cc8bef60e48871b0b71e33902 2141 sshfs-fuse_3.7.3-1.2.dsc
0a2bb355d0fb3f5d1f62dc162f0bb71597b7971e 11900
sshfs-fuse_3.7.3-1.2.debian.tar.xz
be288b20e4c3726a64de50b668e4a9a28e9f4721 6751
sshfs-fuse_3.7.3-1.2_source.buildinfo
Checksums-Sha256:
d9b55f4f7327af3ee7121730550b5f69e400bb8b1b7295c45c4026b00e077cae 2141
sshfs-fuse_3.7.3-1.2.dsc
856ae1571bbf951d157cc210b6b7616f356d85fab924aefabe6ad937fed31d48 11900
sshfs-fuse_3.7.3-1.2.debian.tar.xz
d14f8da2992a507b42276c0fd152d217e899e1ad7d11eac7a1534c61bb11835f 6751
sshfs-fuse_3.7.3-1.2_source.buildinfo
Files:
04d633f141458c02e99376209eab3242 2141 utils optional sshfs-fuse_3.7.3-1.2.dsc
105eb73f4aac720eea35e94bd002470f 11900 utils optional
sshfs-fuse_3.7.3-1.2.debian.tar.xz
fdd8f4ab212323ec57885352b736fe9e 6751 utils optional
sshfs-fuse_3.7.3-1.2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmobySVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EUa8QAJ0PI3ylKSWhdmSKOkqpNetDOCUbJf99
1YGdUwPPq/GFo4+RqB14iv3n0Zm2QExd8x+DKV2xCq8Mq9E0lzt+ZdGALFqqv05O
HL0PI+AsRZY9aEYCj70WK8vfcTh4STByNk2oDXUArjbDzWojaxZVeDYQfJi7A0hi
OQJemmNg1KQEQYvaTlNB2FAkdVgzraT7dA6d8Bz9+wrH3AcBGLy0HZzHOHgE3hfU
D5ZuyKoVHVcOz/U+gYSiNXlDvG22GWoKYR36NETA0P3Ck+orr7tjQMOVtEiu5C2g
pwT/Wdeze5eestmmq/8IJO2EffiEyQl31iGhBYTAtrgtPuwv5XZzz1b9Ao8RdLWE
SmxZcuKg2xoqylVNxZz/p5WYT0luTmG4iqf08BTh0QB4A0LCoOSU3ajtf6Ih1ld0
A4mWXEYY+jwbfjntIL9Y+6e2/5fkQLjtWJw+fl9UxiZa3cT4ToNntJuPuu50LDaz
1gGZCZ1WzbqFLumnuwtg9fu4ha6+GDebXyRjCDdGJJ76YTQo6mbUaVOYxKBO7Xpc
e7miEVbwgfU1cUboY11f2RNTIdYOswHJzQCbzKKYSMuBIt15m14zciGGZ8iGh5Gn
g6HGPXrIOw/f62KSBkQdemPrqJMEBBDja0/aGs3D+Trgzm5B8ro4diofvoymGls/
3IsSb4UWC/1Q
=BACC
-----END PGP SIGNATURE-----
pgp7HKx1BCWA3.pgp
Description: PGP signature
--- End Message ---
