1. Ubuntu Security Notices
  2. USN-3946-1

USN-3946-1: rssh vulnerabilities

Publication date

11 April 2019

Overview

rssh could be made to run arbitrary commands if it received specially crafted input.

Releases

Packages

  • rssh - Restricted shell allowing scp, sftp, cvs, svn, rsync or rdist

Details

It was discovered that rssh incorrectly handled certain command-line arguments
and environment variables. An authenticated user could bypass rssh’s command
restrictions, allowing an attacker to run arbitrary commands.

It was discovered that rssh incorrectly handled certain command-line arguments
and environment variables. An authenticated user could bypass rssh’s command
restrictions, allowing an attacker to run arbitrary commands.

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
18.10 cosmic rssh –  2.3.4-8ubuntu0.2
18.04 bionic rssh –  2.3.4-7ubuntu0.1
16.04 xenial rssh –  2.3.4-4+deb8u2ubuntu0.16.04.2
14.04 trusty rssh –  2.3.4-4+deb8u2ubuntu0.14.04.2

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›