Hi Magnus, On Fri, Dec 28, 2018 at 10:22:53AM +0100, Moritz Mühlenhoff wrote: > On Wed, Dec 26, 2018 at 05:20:40PM +0100, Magnus Holmgren wrote: > > > CVE-2018-19518[0]: > > > | University of Washington IMAP Toolkit 2007f on UNIX, as used in > > > | imap_open() in PHP and other products, launches an rsh command (by > > > | means of the imap_rimap function in c-client/imap4r1.c and the > > > | tcp_aopen function in osdep/unix/tcp_unix.c) without preventing > > > | argument injection, > > > > I'm wondering if anyone would complain if I'd disable RSH (SSH) connections > > altogether. > > Full ack, that seems like the most sensible fix.
Any news on this approach, or did you spot any problem with that way? Regards, Salvatore
