CVE-2021-38173

NameCVE-2021-38173
DescriptionBtrbk before 0.31.2 allows command execution because of the mishandling of remote hosts filtering SSH commands using ssh_filter_btrbk.sh in authorized_keys.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2755-1
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
btrbk (PTS)stretch0.24.0-1vulnerable
stretch (security)0.24.0-1+deb9u1fixed
buster0.27.1-1+deb10u1fixed
bullseye0.27.1-1.1+deb11u2fixed
bookworm, sid0.31.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
btrbksourcestretch0.24.0-1+deb9u1DLA-2755-1
btrbksourcebuster0.27.1-1+deb10u1
btrbksourcebullseye0.27.1-1.1+deb11u1
btrbksource(unstable)0.27.1-2

Notes

Fixed by: https://github.com/digint/btrbk/commit/58212de771c381cd4fa05625927080bf264e9584 (v0.31.2)
Introduced by: https://github.com/digint/btrbk/commit/ccb5ed5e7191a083da52998df4c880f693451144 (v0.23.0-rc1)

Search for package or bug name: Reporting problems