Your message dated Tue, 02 Jun 2026 19:47:17 +0000
with message-id <[email protected]>
and subject line Bug#1138293: fixed in sshfs-fuse 3.7.3-1.2~deb12u1
has caused the Debian Bug report #1138293,
regarding sshfs-fuse: CVE-2026-47187 CVE-2026-48711
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138293: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138293
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: sshfs-fuse
Version: 3.7.3-1.1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for sshfs-fuse.
CVE-2026-47187[0]:
| Symlink escape - rogue SFTP server -> local file read/write
CVE-2026-48711[1]:
| ssh argument injection via bracketed mount source
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-47187
https://www.cve.org/CVERecord?id=CVE-2026-47187
[1] https://security-tracker.debian.org/tracker/CVE-2026-48711
https://www.cve.org/CVERecord?id=CVE-2026-48711
[2] https://www.openwall.com/lists/oss-security/2026/05/30/3
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sshfs-fuse
Source-Version: 3.7.3-1.2~deb12u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
sshfs-fuse, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated sshfs-fuse
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 02 Jun 2026 13:13:13 +0200
Source: sshfs-fuse
Architecture: source
Version: 3.7.3-1.2~deb12u1
Distribution: bookworm
Urgency: high
Maintainer: Bartosz Fenski <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1138293
Changes:
sshfs-fuse (3.7.3-1.2~deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* Rebuild for bookworm
.
sshfs-fuse (3.7.3-1.2) unstable; urgency=high
.
* Non-maintainer upload.
* add contain_symlinks option to prevent symlink escape attacks
(CVE-2026-47187) (Closes: #1138293)
* reject hostname option injection via bracketed mount source
(CVE-2026-48711)
(Closes: #1138293)
Checksums-Sha1:
553b3077fe17b508299a8c3b9e7b1bc5f927a198 2173 sshfs-fuse_3.7.3-1.2~deb12u1.dsc
f9356afd30525b95667b126e4dcce7cb3f51ab40 11932
sshfs-fuse_3.7.3-1.2~deb12u1.debian.tar.xz
7f568c90e8cfd90989ce2bcf9683f7c44be67d07 6774
sshfs-fuse_3.7.3-1.2~deb12u1_source.buildinfo
Checksums-Sha256:
40f54667f7b84bb61b2c298eadaab41aecbb3c7ff8a974768d359ab8fe2fc7e0 2173
sshfs-fuse_3.7.3-1.2~deb12u1.dsc
097f7c43a1c36786307a09bee098552fecb736cdb09fa4b0ed40de8f227d15fc 11932
sshfs-fuse_3.7.3-1.2~deb12u1.debian.tar.xz
343e0b2b3d89d71b6322767bf7e9366c56ddeb958071b33118c5fd893cca22b8 6774
sshfs-fuse_3.7.3-1.2~deb12u1_source.buildinfo
Files:
cc2d8e5228119f7a01d715dda6445ce1 2173 utils optional
sshfs-fuse_3.7.3-1.2~deb12u1.dsc
1e228a2886618b97042834b7a1bed5fe 11932 utils optional
sshfs-fuse_3.7.3-1.2~deb12u1.debian.tar.xz
baa9966dd436628276ab3e9a4540e915 6774 utils optional
sshfs-fuse_3.7.3-1.2~deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoe+WdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EE5AP/Ax78AYD+BaBe3BfnyAnToCpePVUC07w
fxIpBSsBeg4Vybjcxz9YmNaBicbx+0nEOqs529LUxW5SQaiILC9KEtAzHPTr1aBw
xCndaCNLMTSXkgpxDvozNuj0gwB+hzs0zrfNnkgbwo1qFBieNNoOUudnV8UiaK4e
+hf1NkbHcb3NN4XmvSo77ee0G6YrtNaBuzFUNERqlBUg2S0XXTvBgbPkar7bJYjG
xezeEFOYhZy0WmgVEVJwxUOhlz1oPU2AF1lwTbU38agKtONqcXUPWKIvEy5qusUd
vSBhea2rU+EoV1TXF3rpBbLF6w83ICrLia25PQMjXHmETT9KbgTMCcaywoVnuxyb
NA8T9UJhD/SSjvDZBFogkmUYOWZKcxcydl6HrJfaA77AvXA9k4rQGqwnOC32dV75
/yaCJxNrF6oRMfdPm1QLXGrz52VRmEEFIE+dIC33BotTTf8jCMpEB3ILKeyY9nPG
S9V4bFGE1EnOih5kufyM3RxnOV9VWHTdJwCFq4vx58bN+dh36bnRoZHBov+n7qm/
yLC6BCXWRTEqJxboRnPuDPqZs9YOLeyrYDr8C+yaWu6piyGRe3+JmVTyrTy92xYz
PP3pBJudbR+yl3vaYZzwdHFov5jkiaorhMKPicd4GJ1WTCcS8muhH88mGxO0TZVp
ZT0C/hBt349R
=b6wA
-----END PGP SIGNATURE-----
pgpZ5O3qpxgrd.pgp
Description: PGP signature
--- End Message ---
