From: Damien Miller
Date: Apr 18, 2019 9:36AM
OpenSSH 8.0 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
...
This release contains mitigation for a weakness in the scp(1) tool
and protocol (CVE-2019-6111): when copying files from a remote system
to a local directory, scp(1) did not verify that the filenames that
the server sent matched those requested by the client. This could
allow a hostile server to create or clobber unexpected local files
with attacker-controlled content.
This release adds client-side checking that the filenames sent from
the server match the command-line request,
The scp protocol is outdated, inflexible and not readily fixed. We
recommend the use of more modern protocols like sftp and rsync for
file transfer instead.
沒有留言:
張貼留言