[Git][security-tracker-team/security-tracker][master] CVE-2019-6110/openssh: Add note on reasoning of upstream about vulnerability

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f2416f4a by Salvatore Bonaccorso at 2019-02-08T16:20:10Z
CVE-2019-6110/openssh: Add note on reasoning of upstream about vulnerability

Upstream states for CVE-2019-6110:

> We don't consider the report relating to stderr to be a vulnerability -
> lots of stuff depends on stderr being present (e.g. login warning
> banners that some people inexplicably love) and it's impractical for
> scp to selectively process them. The machine you just logged into can
> print junk to your screen, so what?

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3741,6 +3741,7 @@ CVE-2019-6111 (An issue was discovered in OpenSSH 7.9. Due to the scp implementa
 CVE-2019-6110 (In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output ...)
 	- openssh <unfixed>
 	NOTE: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
+	NOTE: Not considered a vulnerability by upstream, cf. https://lists.gt.net/openssh/dev/73013#73013
 CVE-2019-6109 (An issue was discovered in OpenSSH 7.9. Due to missing character ...)
 	- openssh <unfixed> (bug #793412)
 	NOTE: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f2416f4aab8005b506dfeba51969eb38a3b51fde

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f2416f4aab8005b506dfeba51969eb38a3b51fde
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190208/2e5cb268/attachment.html>