{"id":"MGASA-2019-0156","summary":"Updated openssh packages fix security vulnerabilities","details":"Updated openssh packages fix security vulnerabilities:\n\nDue to missing character encoding in the progress display, the object\nname can be used to manipulate the client output, for example to employ\nANSI codes to hide additional files being transferred (CVE-2019-6109).\n\nDue to scp client insufficient input validation in path names sent by\nserver, a malicious server can do arbitrary file overwrites in target\ndirectory. If the recursive (-r) option is provided, the server can\nalso manipulate subdirectories as well (CVE-2019-6111).\n\nThe check added in this version can lead to regression if the client and\nthe server have differences in wildcard expansion rules. If the server is\ntrusted for that purpose, the check can be disabled with a new -T option\nto the scp client.\n","modified":"2026-04-16T01:47:00.001215599Z","published":"2019-05-12T09:35:33Z","upstream":["CVE-2019-6109","CVE-2019-6111"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2019-0156.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=24308"},{"type":"WEB","url":"https://www.debian.org/security/2019/dsa-4387"}],"affected":[{"package":{"name":"openssh","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/openssh?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.5p1-2.4.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0156.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}