[ https://issues.apache.org/jira/browse/SSHD-925?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Goldstein Lyor resolved SSHD-925. --------------------------------- Resolution: Not A Problem > See if SCP vulnerability CVE-2019-6111 applies and mitigate it if so > -------------------------------------------------------------------- > > Key: SSHD-925 > URL: https://issues.apache.org/jira/browse/SSHD-925 > Project: MINA SSHD > Issue Type: Improvement > Affects Versions: 2.2.0 > Reporter: Goldstein Lyor > Assignee: Goldstein Lyor > Priority: Major > Labels: scp, security-issue > > From [OpenSSH version 8.0 release > notes|https://www.openssh.com/txt/release-8.0] > {quote} > This release contains mitigation for a weakness in the scp(1) tool and > protocol (CVE-2019-6111): when copying files from a remote system to a local > directory, scp(1) did not verify that the filenames that the server sent > matched those requested by the client. This could allow a hostile server to > create or clobber unexpected local files with attacker-controlled content. > {quote} > If indeed this vulnerability exists then also note the following > {quote} > The scp protocol relies on the remote shell for wildcard expansion, so there > is no infallible way for the client's wildcard matching to perfectly reflect > the server's. If there is a difference between client and server wildcard > expansion, the client may refuse files from the server. For this reason, we > have provided a new "-T" flag to scp that disables these client-side checks > at the risk of reintroducing the attack described above. > {quote} -- This message was sent by Atlassian Jira (v8.3.2#803003) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org