remctl 3.14 released

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

remctl 3.14 released

Russ Allbery-2
Version 3.14 of remctl has been released.  This is a minimal security fix
over 3.13 (with some additional warning fixes for the latest version of

remctl is a client/server application that supports remote execution of
specific commands, using Kerberos GSS-API for authentication.
Authorization is controlled by a configuration file and ACL files and can
be set separately for each command, unlike with rsh.  remctl is like a
Kerberos-authenticated simple CGI server, or a combination of Kerberos rsh
and sudo without most of the features and complexity of either.

Changes from previous release:

    SECURITY: Fix use-after-free and double-free when handling the sudo
    option in the remctld and remctl-shell server.  For remctl-shell, this
    will occasionally produce a spurious non-zero exit status for a
    command that succeeded.  For remctld, the normal consequence is a
    server process crash after running a command with the sudo option, but
    it may be possible (albeit difficult) for a streaming client to abuse
    this bug to execute an arbitrary command on the server or corrupt
    server memory.  Thanks, Santosh Ananthakrishnan.  (CVE-2018-0493)

You can download it from:


This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery ([hidden email])              <>
Kerberos mailing list           [hidden email]