rssh (2.3.4-5+deb9u1) stretch-security; urgency=high scp and rsync command verification have been made stricter to try to prevent ways of running arbitrary code on the server via ssh configuration options. As a side effect, this will break scp -3 to an account using rssh, and will disallow using rssh to run arbitrary scp and rsync commands on the server. Only the server end of an scp or rsync command should now be allowed. THE CVS SUPPORT IN RSSH IS PROBABLY NOT SECURE, as is already documented in the manual page. While no variation of this attack for cvs is currently known, cvs has many options and commands and the small amount of filtering rssh does is probably not sufficient. Use the cvs support at your own risk. The approach rssh takes to try to restrict commands is fragile, regularly broken by new features in the commands it tries to wrap, and probably has additional bugs. It is no longer supported upstream and will likely be removed from future versions of Debian. Please consider switching to another security approach. -- Russ Allbery <rra(a)debian.org> Tue, 29 Jan 2019 20:50:08 -0800