[Git][security-tracker-team/security-tracker][master] CVE-2019-6110/openssh: Add note on reasoning of upstream about vulnerability
Salvatore Bonaccorso
carnil at debian.org
Fri Feb 8 16:22:36 GMT 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
f2416f4a by Salvatore Bonaccorso at 2019-02-08T16:20:10Z
CVE-2019-6110/openssh: Add note on reasoning of upstream about vulnerability
Upstream states for CVE-2019-6110:
> We don't consider the report relating to stderr to be a vulnerability -
> lots of stuff depends on stderr being present (e.g. login warning
> banners that some people inexplicably love) and it's impractical for
> scp to selectively process them. The machine you just logged into can
> print junk to your screen, so what?
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3741,6 +3741,7 @@ CVE-2019-6111 (An issue was discovered in OpenSSH 7.9. Due to the scp implementa
CVE-2019-6110 (In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output ...)
- openssh <unfixed>
NOTE: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
+ NOTE: Not considered a vulnerability by upstream, cf. https://lists.gt.net/openssh/dev/73013#73013
CVE-2019-6109 (An issue was discovered in OpenSSH 7.9. Due to missing character ...)
- openssh <unfixed> (bug #793412)
NOTE: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f2416f4aab8005b506dfeba51969eb38a3b51fde
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f2416f4aab8005b506dfeba51969eb38a3b51fde
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190208/2e5cb268/attachment.html>
More information about the debian-security-tracker-commits
mailing list