MGASA-2019-0156

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2019-0156.html

Import Source

https://advisories.mageia.org/MGASA-2019-0156.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2019-0156

Related

Published

2019-05-12T09:35:33Z

Modified

2019-05-12T08:59:15Z

Summary

Updated openssh packages fix security vulnerabilities

Details

Updated openssh packages fix security vulnerabilities:

Due to missing character encoding in the progress display, the object name can be used to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred (CVE-2019-6109).

Due to scp client insufficient input validation in path names sent by server, a malicious server can do arbitrary file overwrites in target directory. If the recursive (-r) option is provided, the server can also manipulate subdirectories as well (CVE-2019-6111).

The check added in this version can lead to regression if the client and the server have differences in wildcard expansion rules. If the server is trusted for that purpose, the check can be disabled with a new -T option to the scp client.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:6 / openssh

Package

Name: openssh
Purl: pkg:rpm/mageia/openssh?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.5p1-2.4.mga6

Ecosystem specific

{
    "section": "core"
}