Package: ssh Version: 1:3.8.1p1-8 Severity: critical Tags: security,woody Justification: causes serious data loss
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear ssh maintainer, CAN-2004-0175 says "Directory traversal vulnerability in scp for OpenSSH before 3.4p1" and woody's ssh package version is "1:3.4p1-1.woody.3". (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0175) In RH bugzilla, pointed out fix code http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/scp.c.diff?r1=1.113&r2=1.114 and I've checked woody's ssh code, but not found such fixes. So I think this vunlerability affects Debian. - --------------------------------------------------------------------------------- * I cannot find no information about it in openssh website. (Why?) (http://www.openssh.com/security.html) * Apple: APPLE-SA-2004-09-07: Security Update 2004-09-07 (http://lists.apple.com/mhonarc/security-announce/msg00058.html) * CLSA-2004:831 openssh (http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000831) * In SuSE-SA:2004:009: Linux Kernel, as just "pending and workaroud" * issue. (http://www.suse.com/de/security/2004_09_kernel.html) * Red Hat has not yet released SA, but releated bugzilla post is here. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120147 - --------------------------------------------------------------------------------- Could you check it, please? ... and if it would not affect woody, please add this issue in http://www.debian.org/security/nonvulns-woody . thanks. - -- Regards, Hideki Yamane henrich @ samba.gr.jp/iijmio-mail.jp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBQAImIu0hy8THJksRAuQdAKCLpwn8lgkeyFCpbc27QKIMqfr16gCfTnCL 8MnXrQoxDwgyff2BxYDkKzU= =8p0W -----END PGP SIGNATURE-----
