| 1 |
On Sat, Jul 25, 2020 at 08:05:14PM -0400, Rich Freeman wrote: |
| 2 |
> On Sat, Jul 25, 2020 at 7:40 PM Joshua Kinard <kumba@g.o> wrote: |
| 3 |
> > |
| 4 |
> > This seems like something that needs a news entry, or |
| 5 |
> > at least a "heads up" on the mailing list? |
| 6 |
> |
| 7 |
> Definitely not a "heads up" on the mailing list - that is not an |
| 8 |
> appropriate way to communicate anything to users - not even devs are |
| 9 |
> required to read this list. |
| 10 |
> |
| 11 |
> The two appropriate ways to communicate something like this are |
| 12 |
> einfo/ewarn/etc or news. Never hurts to use news. Ideally I'd point |
| 13 |
> to a substitute, and I'd suggest one myself if I were aware of one... |
| 14 |
|
| 15 |
Just to have this information here for easy access, this is upstream's |
| 16 |
response from that bug's URL [1]. They recommend "rsync or something else": |
| 17 |
|
| 18 |
The scp command is a historical protocol (called rcp) which relies |
| 19 |
upon that style of argument passing and encounters expansion |
| 20 |
problems. It has proven very difficult to add "security" to the scp |
| 21 |
model. All attempts to "detect" and "prevent" anomalous argument |
| 22 |
transfers stand a great chance of breaking existing workflows. Yes, |
| 23 |
we recognize it the situation sucks. But we don't want to break the |
| 24 |
easy patterns people use scp for, until there is a commonplace |
| 25 |
replacement. People should use rsync or something else instead if |
| 26 |
they are concerned. |
| 27 |
|
| 28 |
[1] https://github.com/cpandya2909/CVE-2020-15778/ |
Archives