Comment 2 for bug 1815935

Revision history for this message
Russ Allbery (rra-debian) wrote :

Thanks for the report! While I don't use or maintain the Ubuntu version of rssh, it looks like Ubuntu is importing the Debian security fixes, and this is indeed a regression in Debian as well. I'm working on a fix now, and checking with the Debian security team to confirm that it's worth a regression update. Presumably Ubuntu would then pull it in.

Please note that rssh is orphaned upstream and both upstream and I agree that its security model is not maintainable going forward, largely due to this sort of problem and the complexity of trying to analyze command lines for other programs that constantly change. The next stable release of Debian (and hence probably Ubuntu) will not contain the package, so you may want to start evaluating alternatives.