Debian Security Advisory DSA 918-1 (osh)

The remote host is missing an update to osh announced via advisory DSA 918-1. Several security related problems have been discovered in osh, the operator's shell for executing defined programs in a privileged environment. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2005-3347 Charles Stevenson discovered a bug in the substitution of variables that allows a local attacker to open a root shell. CVE-2005-3533 Solar Eclipse discovered a buffer overflow caused by the current working directory plus a filename that could be used to execute arbitrary code and e.g. open a root shell. For the old stable distribution (woody) these problems have been fixed in version 1.7-11woody2.

For the stable distribution (sarge) these problems have been fixed in version 1.7-13sarge1. For the unstable distribution (sid) these problems have been fixed in version 1.7-15, however, the package has been removed entirely. We recommend that you upgrade your osh package. https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20918-1