Debian Security Advisory DSA 2578-1 (rssh)

The remote host is missing an update to rssh announced via advisory DSA 2578-1.

James Clawson discovered that rssh, a restricted shell for OpenSSH to be used with scp/sftp, rdist and cvs, was not correctly filtering command line options. This could be used to force the execution of a remote script and thus allow arbitrary command execution. Two CVE were assigned: CVE-2012-2251 Incorrect filtering of command line when using rsync protocol. It was for example possible to pass dangerous options after a -- switch. The rsync protocol support has been added in a Debian (and Fedora/Red Hat) specific patch, so this vulnerability doesn't affect upstream. CVE-2012-2251 Incorrect filtering of the --rsh option: the filter preventing usage of the - -rsh= option would not prevent passing --rsh. This vulnerability affects upstream code. For the stable distribution (squeeze), this problem has been fixed in version 2.3.2-13squeeze2. For the testing distribution (wheezy), this problem has been fixed in version 2.3.3-6. For the unstable distribution (sid), this problem has been fixed in version 2.3.3-6.

We recommend that you upgrade your rssh packages.