[SECURITY] Fedora EPEL 6 Update: rssh-2.3.4-1.el6

updates at fedoraproject.org updates at fedoraproject.org
Fri Oct 17 17:32:52 UTC 2014 

--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2014-3024
2014-10-01 16:47:31
--------------------------------------------------------------------------------

Name        : rssh
Product     : Fedora EPEL 6
Version     : 2.3.4
Release     : 1.el6
URL         : http://www.pizzashack.org/rssh/
Summary     : Restricted shell for use with OpenSSH, allowing only scp and/or sftp
Description :
rssh is a restricted shell for use with OpenSSH, allowing only scp
and/or sftp. For example, if you have a server which you only want
to allow users to copy files off of via scp, without providing shell
access, you can use rssh to do that. It is a alternative to scponly.

--------------------------------------------------------------------------------
Update Information:

- Update to 2.3.4 :
  - CVE-2012-3478: Improper filtering of environment variables.
  - CVE-2012-2251: Incorrect filtering of rsync command line.
  - CVE-2012-2252: Incorrect filtering of --rsh option.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #880989 - CVE-2012-2251 rssh: bypass of rsync -e option filtering [epel-6]
        https://bugzilla.redhat.com/show_bug.cgi?id=880989
  [ 2 ] Bug #880992 - CVE-2012-2252 rssh: incorrect filtering of rsync --rsh command line option [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=880992
  [ 3 ] Bug #820416 - CVE-2012-3478 rssh: possible circumvention of rssh restrictions [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=820416
--------------------------------------------------------------------------------

This update can be installed with the "yum" update programs.  Use
su -c 'yum update rssh' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora EPEL GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the epel-package-announce mailing list