==========================================================================
Ubuntu Security Notice USN-3946-1
April 11, 2019
rssh vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 18.10
– Ubuntu 18.04 LTS
– Ubuntu 16.04 LTS
– Ubuntu 14.04 LTS
Summary:
rssh could be made to run arbitrary commands if it received specially crafted
input.
Software Description:
– rssh: Restricted shell allowing scp, sftp, cvs, svn, rsync or rdist
Details:
It was discovered that rssh incorrectly handled certain command-line arguments
and environment variables. An authenticated user could bypass rssh’s command
restrictions, allowing an attacker to run arbitrary commands.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
  rssh                            2.3.4-8ubuntu0.2
Ubuntu 18.04 LTS:
  rssh                            2.3.4-7ubuntu0.1
Ubuntu 16.04 LTS:
  rssh                            2.3.4-4+deb8u2ubuntu0.16.04.2
Ubuntu 14.04 LTS:
  rssh                            2.3.4-4+deb8u2ubuntu0.14.04.2
In general, a standard system update will make all the necessary changes.
References:
  https://usn.ubuntu.com/usn/usn-3946-1
  CVE-2019-1000018, CVE-2019-3463, CVE-2019-3464
Package Information:
  https://launchpad.net/ubuntu/+source/rssh/2.3.4-8ubuntu0.2
  https://launchpad.net/ubuntu/+source/rssh/2.3.4-7ubuntu0.1
  https://launchpad.net/ubuntu/+source/rssh/2.3.4-4+deb8u2ubuntu0.16.04.2
  https://launchpad.net/ubuntu/+source/rssh/2.3.4-4+deb8u2ubuntu0.14.04.2
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCgAdFiEEwZbe96kJeWh2OITRdyg1Qz0oXX0FAlyvm+cACgkQdyg1Qz0o
XX2UPg/+J2o63LpFsR16vW/S823eS/lPJAV/cjh5LRkxRY9dhx4jiNOIsqA2IAFe
spX3esnG65kHTh0Y+asbpCHU/UvjYWw4VLjGqLXQhIm/r0XAA5tR7qUJvXXgULdZ
MarQz+YIuCiTsPw1bQg9yYrTJETvifxxH72oTWRowXOQF+db0SEANxdJoVITY26f
qsVVY16tfbX/IyWavNZjl7XwcdP6JlocuLf17CXFmp7P6aXuaLBQ5zK4zWPCYEOD
cFSXIV5djlqrpfnlLEaFbWvuBFpdVEycu/TY+YmF/zzgjpVF5kbb1j/Vl6KuI/Vf
AKA6s8FDSiblrXwuHw4TJUKPsa0Yy9Irvc1QPl92kbvJXlmXLAUdWyS7I7jxYzNT
40ayB7sU+ehGE2qLt2YNdXuSpQy2h1KALEQcnsp5j5MWvMIOs0lGD96hX0rXHE2I
2+ETctUKLC1ImRUfjlstM3Sibv72cpPY6X0mZFziRbA/ophZO27Pgw8L2nTvQ1kR
q+ciV/9qHZli4NEnhXOLrOYnCmdwHsvUxUgdovu319/yTibi3Ty6A1tTV1oaDNY/
52RYgRYHYsCBLRw10mPPQLRXE8lqTz+/0pAsuViXrx7gu4cVrlJudMU9sejMtvnX
NAUSA/ohbCbeoPX4k/UXsVbjEbj1Vk4yEAibwHiuPqCjTpBxhU8=
=N1Yd
—–END PGP SIGNATURE—–
—



