On Sat, Jul 25, 2020 at 08:05:14PM -0400, Rich Freeman wrote: > On Sat, Jul 25, 2020 at 7:40 PM Joshua Kinard <ku...@gentoo.org> wrote: > > > > This seems like something that needs a news entry, or > > at least a "heads up" on the mailing list? > > Definitely not a "heads up" on the mailing list - that is not an > appropriate way to communicate anything to users - not even devs are > required to read this list. > > The two appropriate ways to communicate something like this are > einfo/ewarn/etc or news. Never hurts to use news. Ideally I'd point > to a substitute, and I'd suggest one myself if I were aware of one...
Just to have this information here for easy access, this is upstream's response from that bug's URL . They recommend "rsync or something else": The scp command is a historical protocol (called rcp) which relies upon that style of argument passing and encounters expansion problems. It has proven very difficult to add "security" to the scp model. All attempts to "detect" and "prevent" anomalous argument transfers stand a great chance of breaking existing workflows. Yes, we recognize it the situation sucks. But we don't want to break the easy patterns people use scp for, until there is a commonplace replacement. People should use rsync or something else instead if they are concerned.  https://github.com/cpandya2909/CVE-2020-15778/
Description: PGP signature