Regression in 2.3.4-4+deb8u1build0.16.04.1 on scp command parsing

Also libssh2 scp_send() uses "-pt" option.

Thanks for the report! While I don't use or maintain the Ubuntu version of rssh, it looks like Ubuntu is importing the Debian security fixes, and this is indeed a regression in Debian as well. I'm working on a fix now, and checking with the Debian security team to confirm that it's worth a regression update. Presumably Ubuntu would then pull it in.

Please note that rssh is orphaned upstream and both upstream and I agree that its security model is not maintainable going forward, largely due to this sort of problem and the complexity of trying to analyze command lines for other programs that constantly change. The next stable release of Debian (and hence probably Ubuntu) will not contain the package, so you may want to start evaluating alternatives.

Thanks for looking into it.
Do you have any suggestion for the alternative solutions?
If we decide to not use rssh tomorrow, the user we created that was meant only for file transfer would be a regular user, that would solve current issue and remove dependency on rssh. But that will be step down from the security provided by rssh. We will definitely look into alternative solution, but let me also know if you have other solutions in mind.

sftp is natively supported by sshd (with ForceCommand internal-sftp and ChrootDirectory), so that avoids the problem that rssh has where ssh keeps adding new features that add new security vulnerabilities in the rssh model. That's probably the best solution if you're currently using scp.

Sounds good. We will keep that as an option for the long term solution.
It would be great if you could provide a fix for the regression.
Thanks again!

Russ,

Please let us know if there is an update on this bug.
This regression is having a huge impact on our business, so it would be good if you could provide us with an update (https://blogs.msdn.microsoft.com/azureservicefabric/2019/02/07/known-issue-for-service-fabric-linux-clusters/ ).

It would be great if you could provide us with the fix :)

Thanks!

Debian has released the fix for both stable and oldstable. As I said above, I personally don't use Ubuntu, don't maintain the Ubuntu package, and don't have upload rights to Ubuntu, so I'm afraid I can't help with fixing the bug in Ubuntu. Presumably you need to find someone who works on Ubuntu to import the fix from Debian, if that doesn't happen automatically.

The fixed Debian packages are available from:

https://packages.debian.org/source/stable/updates/rssh
https://packages.debian.org/source/oldstable/updates/rssh

It's possible that one or the other may install unmodified on your Ubuntu system; I don't know.

Thanks for fixing it in Debian.
I'll request someone from Ubuntu to import the fix.

Confirmed the bug based on the Debian report.

Thanks!
Do you know when will the new package be released?

Fixes were released today. Please upgrade (sudo apt-get update && sudo apt-get upgrade).

That's great news. Thanks!