Your message dated Tue, 02 Jun 2026 19:32:07 +0000
with message-id <[email protected]>
and subject line Bug#1138293: fixed in sshfs-fuse 3.7.3-1.2~deb13u1
has caused the Debian Bug report #1138293,
regarding sshfs-fuse: CVE-2026-47187 CVE-2026-48711
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138293: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138293
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: sshfs-fuse
Version: 3.7.3-1.1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for sshfs-fuse.
CVE-2026-47187[0]:
| Symlink escape - rogue SFTP server -> local file read/write
CVE-2026-48711[1]:
| ssh argument injection via bracketed mount source
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-47187
https://www.cve.org/CVERecord?id=CVE-2026-47187
[1] https://security-tracker.debian.org/tracker/CVE-2026-48711
https://www.cve.org/CVERecord?id=CVE-2026-48711
[2] https://www.openwall.com/lists/oss-security/2026/05/30/3
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sshfs-fuse
Source-Version: 3.7.3-1.2~deb13u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
sshfs-fuse, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated sshfs-fuse
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 02 Jun 2026 13:11:01 +0200
Source: sshfs-fuse
Architecture: source
Version: 3.7.3-1.2~deb13u1
Distribution: trixie
Urgency: high
Maintainer: Bartosz Fenski <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1138293
Changes:
sshfs-fuse (3.7.3-1.2~deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* Rebuild for trixie
.
sshfs-fuse (3.7.3-1.2) unstable; urgency=high
.
* Non-maintainer upload.
* add contain_symlinks option to prevent symlink escape attacks
(CVE-2026-47187) (Closes: #1138293)
* reject hostname option injection via bracketed mount source
(CVE-2026-48711)
(Closes: #1138293)
Checksums-Sha1:
6637249c741ed006e2e64e4d163a2c9bad69e80e 2173 sshfs-fuse_3.7.3-1.2~deb13u1.dsc
45dbf84ac6002a2e01b1df06d5bcc38c8daad97e 11936
sshfs-fuse_3.7.3-1.2~deb13u1.debian.tar.xz
5ef7968780bd86df90165e95a87ec36138b5c041 6774
sshfs-fuse_3.7.3-1.2~deb13u1_source.buildinfo
Checksums-Sha256:
57cf5bcdc98c12be7e86c75c13a7f7cb1f0a71215305f94872e92a38a712ac73 2173
sshfs-fuse_3.7.3-1.2~deb13u1.dsc
1c4d33ba1d0c0ea08b3a2289145f900506cc6423141274ae99db1b107ddbb391 11936
sshfs-fuse_3.7.3-1.2~deb13u1.debian.tar.xz
06a34b0db75ec13f333f07a3fc12e6c2fa903aa1e39ba0b9dc182c60dec5f84d 6774
sshfs-fuse_3.7.3-1.2~deb13u1_source.buildinfo
Files:
e34501aa6cb640e426b0edb4ec829ef2 2173 utils optional
sshfs-fuse_3.7.3-1.2~deb13u1.dsc
9a8f6ff0592bc12b6181fa0fd7f65a96 11936 utils optional
sshfs-fuse_3.7.3-1.2~deb13u1.debian.tar.xz
8f1d84f55f582ec4fe573b634c803313 6774 utils optional
sshfs-fuse_3.7.3-1.2~deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoe+UhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EIn0P/RKwPJ9V442gUaiaDlAL3J4fXj/qhHUx
mDdVZzFwQiFve4klqmRN6DB9Hj1g7+MgeAdJS7WtyQKa/Sv0vvCrNRgUuXZt5Pqh
9kC0lq6d2Xi4kHRAEPgxNGOdH2ZiZuzj0lPlNF6nceBuVM6b8KPQE/Ks3/Iu3uUC
ATNUmj2+eg9hr3qjwaTcLFCXwXby74UETkkWNyKAE/kimjlLdTBxZVuhxkN06xj8
8peLVARC6CcETq1rrvoFlwUZZLcFiDGm4TIEPlopSdCoKx4V7zmZlcF5cnkVeArE
deQh78J4wUO6+ygYzSBFVi71U+9KOErMOlM/O87oGFoy584+8IOniNCx5+XMXhHI
nKqQguVZwcM7G89yy3PUr63Rcfn49bIDWiuqpKM4imtmkbHDM8KIs5/hbLJ/HLuu
Lxq6A8Q8z3SUWhmALgPswbg5U0/kwwUmGGH3kyFIaWYlcUqC7x8W4+8AEHSLFTlp
3ZrREcjYYIMcWmWE9axz8AXqf7akAfy82kbfXVBFcIm0lDNnaKihB7tgO9CRx83F
6SIYOrKEvVrYJ+qRyun5wp+t1AJPz0qT1dNmGhhqAsiaB0tC1UNzWRA9z3hOTfHc
hvTF0K3p18+zGNwZlbIiGkhA5/0QAtIMCaU0CMDE2qBVry+NVmSL0NeOeODqDdoq
VEzsySaxz937
=O5iA
-----END PGP SIGNATURE-----
pgpgBtd6r5xh1.pgp
Description: PGP signature
--- End Message ---
