[scponly] scponly 4.8 available

[wbr oblyr]

And despite being reminded, I forgot to include the md5 hash.  here it is:

MD5 (scponly-4.8.tgz) = 139ac9abd7f3b8dbc5c5520745318f8a

thanks,
joe


wbr oblyr wrote this message on Mon, Jan 28, 2008 at 17:05 -0800:
> 
> This is an announcement for the release of scponly 4.8, which is available here:
> 
> http://sourceforge.net/projects/scponly/
> 
> The most important change in scponly 4.8 is the argument validation code needed to support the 
> various transport protocols safely. All the various arguments for svn, rsync, sftp-server, et 
> cetera present multiple vectors for surreptitiously injecting commands and scponly's hardest 
> challenge is in policing these command line arguments to allow functionality without giving up 
> execution to the remote user.  
> 
> The most important fix in 4.8 is the exclusion of the -o and -F flags to scp, which would 
> allow a remote user to specify alternate configuration directives, which in turn could be used 
> to escalate to execution privs.  For example, specifying a ProxyCommand directive could be 
> leveraged to run an uploaded program.  It is important to note that vulnerabilities of this 
> nature are only possible after authentication.  Also note scp is not longer enabled by default 
> in scponly.
> 
> However, it is strongly recommended that people read the SECURITY document contained inside 
> the scponly source tarball for further details.  It is also strongly recommended that security 
> conscious administrators pay particular attention to the supported transport mechanisms they 
> choose to enable or disable via the configure script when installing scponly. 
> 
> Credit for the code in scponly in due to Kaleb Pederson with a big thanks to Florian Weimer 
> for providing the heads up and a patch.
> 
> Any issues with scponly-4.8 can be directed to this mailing list and/or me directly.
> joe