Mailinglist Archive: opensuse-security (81 mails)

< Previous Next >
Re: [suse-security] OpenSSH scp command expansion bug - is it local or remote?
  • From: David Corking <lists@xxxxxxxxxxxx>
  • Date: Tue, 14 Feb 2006 15:52:52 +0000
  • Message-id: <f7a24bea0602140752j263ce1ach6d7f77a552946002@xxxxxxxxxxxxxx>
That was quick, Marcus. Thanks!

On 2/14/06, Marcus Meissner <meissner@xxxxxxx> wrote:

> > 1. Thanks for the patch and announcement today : SUSE-SA:2006:008
...
> > 3. I have now avidly read the major reports of CVE-2006-0225, most of
> > whom classify it as low priority, and all classify as local.

> I was undecided too when chosing it, and I do not see a direct threat.
>
> It is post authentication.
>
> The only way I understand this is problematic is when you have a scp-only
> remote configuration and can then execute programs on the remote machine.

That puts my mind at rest. Best regards, David

< Previous Next >