Sylvain Beucler discovered that Savane version >= 1.0.1 is vulnerable to restricted shell bypass in the sv_membersh default scp configuration, resulting in local access for registered users.
If you offer scp access to your users, we recommend you modify your /etc/membersh-conf.pl file with: $regexp_scp = "^scp( -[pdrv])* -t (-- )?/srv/download"; Version 3.0+4 includes this fix. _______________________________________________ Savane-announce mailing list savane-annou...@gna.org https://mail.gna.org/listinfo/savane-announce _______________________________________________ Savane-dev mailing list Savane-dev@gna.org https://mail.gna.org/listinfo/savane-dev
