VulnerableCode Package Details - pkg:alpm/archlinux/openssh@7.9p1-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-7stj-j6mx-aaak Aliases: CVE-2019-6111	An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).	8.0p1-1 Affected by 0 other vulnerabilities.
VCID-f1zj-c92q-aaar Aliases: CVE-2019-6109	An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.	8.0p1-1 Affected by 0 other vulnerabilities.
VCID-g3um-2fb6-aaaq Aliases: CVE-2018-20685	In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.	8.0p1-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-7stj-j6mx-aaak
Aliases:
CVE-2019-6111

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

8.0p1-1
Affected by 0 other vulnerabilities.

VCID-f1zj-c92q-aaar
Aliases:
CVE-2019-6109

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.

8.0p1-1
Affected by 0 other vulnerabilities.

VCID-g3um-2fb6-aaaq
Aliases:
CVE-2018-20685

In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.

8.0p1-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T07:45:57.484283+00:00	Arch Linux Importer	Affected by	VCID-g3um-2fb6-aaaq	https://security.archlinux.org/AVG-951	36.0.0
2025-03-28T07:45:57.463782+00:00	Arch Linux Importer	Affected by	VCID-f1zj-c92q-aaar	https://security.archlinux.org/AVG-951	36.0.0
2025-03-28T07:45:57.443242+00:00	Arch Linux Importer	Affected by	VCID-7stj-j6mx-aaak	https://security.archlinux.org/AVG-951	36.0.0
2024-10-25T05:48:37.019438+00:00	Arch Linux Importer	Affected by	VCID-g3um-2fb6-aaaq	https://security.archlinux.org/AVG-951	34.0.2
2024-10-25T05:48:36.990882+00:00	Arch Linux Importer	Affected by	VCID-f1zj-c92q-aaar	https://security.archlinux.org/AVG-951	34.0.2
2024-10-25T05:48:36.962713+00:00	Arch Linux Importer	Affected by	VCID-7stj-j6mx-aaak	https://security.archlinux.org/AVG-951	34.0.2
2024-09-18T02:01:00.395575+00:00	Arch Linux Importer	Affected by	VCID-g3um-2fb6-aaaq	https://security.archlinux.org/AVG-951	34.0.1
2024-09-18T02:01:00.373139+00:00	Arch Linux Importer	Affected by	VCID-f1zj-c92q-aaar	https://security.archlinux.org/AVG-951	34.0.1
2024-09-18T02:01:00.349917+00:00	Arch Linux Importer	Affected by	VCID-7stj-j6mx-aaak	https://security.archlinux.org/AVG-951	34.0.1
2024-04-28T07:57:46.127774+00:00	Arch Linux Importer	Affected by	VCID-g3um-2fb6-aaaq	https://security.archlinux.org/AVG-951	34.0.0rc4
2024-04-28T07:57:46.105336+00:00	Arch Linux Importer	Affected by	VCID-f1zj-c92q-aaar	https://security.archlinux.org/AVG-951	34.0.0rc4
2024-04-28T07:57:46.083338+00:00	Arch Linux Importer	Affected by	VCID-7stj-j6mx-aaak	https://security.archlinux.org/AVG-951	34.0.0rc4
2024-01-03T22:27:16.732111+00:00	Arch Linux Importer	Affected by	VCID-g3um-2fb6-aaaq	https://security.archlinux.org/AVG-951	34.0.0rc1
2024-01-03T22:27:16.710558+00:00	Arch Linux Importer	Affected by	VCID-f1zj-c92q-aaar	https://security.archlinux.org/AVG-951	34.0.0rc1
2024-01-03T22:27:16.680615+00:00	Arch Linux Importer	Affected by	VCID-7stj-j6mx-aaak	https://security.archlinux.org/AVG-951	34.0.0rc1

2025-03-28T07:45:57.484283+00:00

Arch Linux Importer

Affected by

Next non-vulnerable version	8.0p1-1
Latest non-vulnerable version	9.8p1-1
Risk	10.0