sftp-server read only permitting zero-length files to be created query

Damien Miller djm at mindrot.org
Thu Oct 5 04:54:07 AEDT 2017


On Wed, 4 Oct 2017, Chris High wrote:

> 
> OpenSSH team,
> 
> The document:  http://www.openssh.com/txt/release-7.6
> indicates:
>    Security
>    - --------
> 
>     * sftp-server(8): in read-only mode, sftp-server was incorrectly
>       permitting creation of zero-length files. Reported by Michal
>       Zalewski.
> 
> But when I look here:  https://www.openssh.com/security.html
> I don't see this item listed.

I've just committed the security.html updated

> At what version was this security problem
> introduced?  Or is this applicable to all versions older than 7.6?

All versions that support the read-only mode, so 5.5 onwards


More information about the openssh-unix-dev mailing list