Version in base suite: 4.0-1sarge1 Version in overlay suite: 4.0-1sarge2 Base version: scponly_4.0-1sarge1 Target version: scponly_4.0-1sarge2 Base file: /org/ftp.debian.org/ftp/pool/main/s/scponly/scponly_4.0-1sarge1.dsc Target file: /org/ftp.debian.org/ftp/pool/main/s/scponly/scponly_4.0-1sarge2.dsc diff -u scponly-4.0/scponly.c scponly-4.0/scponly.c --- scponly-4.0/scponly.c +++ scponly-4.0/scponly.c @@ -78,6 +78,8 @@ cmd_arg_t dangerous_args[] = { { PROG_SCP, "-S" }, + { PROG_SCP, "-F" }, + { PROG_SCP, "-o" }, { PROG_SFTP_SERVER, "-S" }, #ifdef UNISON_COMPAT { PROG_UNISON, "-rshcmd" }, diff -u scponly-4.0/debian/changelog scponly-4.0/debian/changelog --- scponly-4.0/debian/changelog +++ scponly-4.0/debian/changelog @@ -1,3 +1,12 @@ +scponly (4.0-1sarge2) oldstable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Remove rsync, Subversion and Unison support because it was possible + to gain shell access through them (CVE-2007-6350). Closes: #437148. + * scp: -o and -F options are dangerous (CVE-2007-6415). + + -- Florian Weimer Tue, 25 Dec 2007 13:27:52 +0100 + scponly (4.0-1sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team diff -u scponly-4.0/debian/rules scponly-4.0/debian/rules --- scponly-4.0/debian/rules +++ scponly-4.0/debian/rules @@ -26,8 +26,7 @@ config.status: configure dh_testdir # Add here commands to configure the package. - ./configure CFLAGS='$(CFLAGS)' --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info --sysconfdir=\$${prefix}/../etc --enable-rsync-compat --enable-unison-compat --enable-chrooted-binary --enable-passwd-compat --enable-svn-compat PROG_USERADD=/usr/sbin/useradd - + ./configure CFLAGS='$(CFLAGS)' --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info --sysconfdir=\$${prefix}/../etc --enable-chrooted-binary --enable-passwd-compat PROG_USERADD=/usr/sbin/useradd build: build-stamp