sftp-server read only permitting zero-length files to be created query
Damien Miller
djm at mindrot.org
Thu Oct 5 04:54:07 AEDT 2017
On Wed, 4 Oct 2017, Chris High wrote:
>
> OpenSSH team,
>
> The document: http://www.openssh.com/txt/release-7.6
> indicates:
> Security
> - --------
>
> * sftp-server(8): in read-only mode, sftp-server was incorrectly
> permitting creation of zero-length files. Reported by Michal
> Zalewski.
>
> But when I look here: https://www.openssh.com/security.html
> I don't see this item listed.
I've just committed the security.html updated
> At what version was this security problem
> introduced? Or is this applicable to all versions older than 7.6?
All versions that support the read-only mode, so 5.5 onwards
More information about the openssh-unix-dev
mailing list