On Thu, Sep 09, 2004 at 04:11:34PM +0900, Hideki Yamane wrote: > Package: ssh > Version: 1:3.8.1p1-8 > Severity: critical > Tags: security,woody > Justification: causes serious data loss > > Dear ssh maintainer, > > CAN-2004-0175 says "Directory traversal vulnerability in scp for OpenSSH > before 3.4p1" and woody's ssh package version is "1:3.4p1-1.woody.3". > (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0175) > > In RH bugzilla, pointed out fix code > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/scp.c.diff?r1=1.113&r2=1.114 > and I've checked woody's ssh code, but not found such fixes. > > So I think this vunlerability affects Debian. > > > --------------------------------------------------------------------------------- > * I cannot find no information about it in openssh website. (Why?) > (http://www.openssh.com/security.html) > [...] > * In SuSE-SA:2004:009: Linux Kernel, as just "pending and workaroud" > * issue. > (http://www.suse.com/de/security/2004_09_kernel.html) > > * Red Hat has not yet released SA, but releated bugzilla post is here. > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120147 > ---------------------------------------------------------------------------------
The reason that you see this pattern is that: - The flaw is truly in the rcp protocol, and I don't think it can be fixed properly without incompatibly changing it - The effects were not judged serious enough to implement the various attempts at workarounds - The OpenBSD CVS commit you reference is a partial workaround, not a fix As far as I know, no vendors shipping OpenSSH have found this issue appropriate for a security update. The issue goes back to 2000: http://cert.uni-stuttgart.de/archive/bugtraq/2000/09/msg00499.html -- - mdz
