remctl 3.14

remctl is a client/server protocol supporting remote execution of specific configured commands using GSS-API or ssh for authentication and encryption.

This is a minimal release that fixes a security bug introduced in 3.12, discovered by Santosh Ananthakrishnan. A remctl client with the ability to run a server command with the sudo configuration option may be able to corrupt the configuration of remctld to run arbitrary commands, although I believe this would be moderately difficult to do. Only remctld (not remctl-shel) is vulnerable, and only if there are commands using the sudo configuration option.

There is a more formal security advisory as well.

If you are running remctl 3.12 and 3.13, I recommend upgrading, although there should be no security consequences if you are not using the sudo configuration option. Fixed packages have been uploaded for Debian stable (stretch) and unstable.

You can get the latest version from the remctl distribution page.

Posted: 2018-04-01 15:52 — Why no comments?

Last spun 2018-04-14 from thread modified 2018-04-01