[Buildroot] [PATCH v2 1/1] package/openssh: security bump to version 8.4p1

Christian Stewart christian at paral.in
Mon Mar 1 12:00:59 UTC 2021


On Mon, Mar 1, 2021 at 3:59 AM Christian Stewart <christian at paral.in> wrote:
> From: Baruch Siach <baruch at tkos.co.il>

...sigh... not sure why Git decided Baruch was the author of this one.

> Fixes CVE-2020-15778: scp in OpenSSH through 8.3p1 allows command injection in
> the scp.c toremote function, as demonstrated by backtick characters in the
> destination argument. NOTE: the vendor reportedly has stated that they
> intentionally omit validation of "anomalous argument transfers" because that
> could "stand a great chance of breaking existing workflows."
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778

This vulnerability still exists in openssh in Buildroot 2021.02-rc3.

Best regards,
Christian Stewart

More information about the buildroot mailing list