- Package:
- src:sshfs-fuse
- Source:
- src:sshfs-fuse
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-02 19:49:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerabilities were published for sshfs-fuse. CVE-2026-47187[0]: | Symlink escape - rogue SFTP server -> local file read/write CVE-2026-48711[1]: | ssh argument injection via bracketed mount source If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-47187 https://www.cve.org/CVERecord?id=CVE-2026-47187 [1] https://security-tracker.debian.org/tracker/CVE-2026-48711 https://www.cve.org/CVERecord?id=CVE-2026-48711 [2] https://www.openwall.com/lists/oss-security/2026/05/30/3 Regards, Salvatore
Hi, for the one dropping the test changes which are not run anyway, as they do not apply cleanly). So far only lightly tested, but running as well on debusine: https://debusine.debian.net/debian/developers/work-request/798664/ The idea would be, given the same version across down to bookworm, to make corresponding 3.7.3-1.2~deb13u1 and 3.7.3-1.2~deb12u1 (either via a DSA or point release update, I'm not yet sure, given CVE-2026-47187 needs as well a malicious server involved). Regards, Salvatore
Dear maintainer, I've prepared an NMU for sshfs-fuse (versioned as 3.7.3-1.2) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. Regards Salvatore
We believe that the bug you reported is fixed in the latest version of
sshfs-fuse, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138293@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated sshfs-fuse package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 30 May 2026 17:20:39 +0200
Source: sshfs-fuse
Architecture: source
Version: 3.7.3-1.2
Distribution: unstable
Urgency: high
Maintainer: Bartosz Fenski <fenio@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1138293
Changes:
sshfs-fuse (3.7.3-1.2) unstable; urgency=high
.
* Non-maintainer upload.
* add contain_symlinks option to prevent symlink escape attacks
(CVE-2026-47187) (Closes: #1138293)
* reject hostname option injection via bracketed mount source (CVE-2026-48711)
(Closes: #1138293)
Checksums-Sha1:
bb65bf4dbae8012cc8bef60e48871b0b71e33902 2141 sshfs-fuse_3.7.3-1.2.dsc
0a2bb355d0fb3f5d1f62dc162f0bb71597b7971e 11900 sshfs-fuse_3.7.3-1.2.debian.tar.xz
be288b20e4c3726a64de50b668e4a9a28e9f4721 6751 sshfs-fuse_3.7.3-1.2_source.buildinfo
Checksums-Sha256:
d9b55f4f7327af3ee7121730550b5f69e400bb8b1b7295c45c4026b00e077cae 2141 sshfs-fuse_3.7.3-1.2.dsc
856ae1571bbf951d157cc210b6b7616f356d85fab924aefabe6ad937fed31d48 11900 sshfs-fuse_3.7.3-1.2.debian.tar.xz
d14f8da2992a507b42276c0fd152d217e899e1ad7d11eac7a1534c61bb11835f 6751 sshfs-fuse_3.7.3-1.2_source.buildinfo
Files:
04d633f141458c02e99376209eab3242 2141 utils optional sshfs-fuse_3.7.3-1.2.dsc
105eb73f4aac720eea35e94bd002470f 11900 utils optional sshfs-fuse_3.7.3-1.2.debian.tar.xz
fdd8f4ab212323ec57885352b736fe9e 6751 utils optional sshfs-fuse_3.7.3-1.2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmobySVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EUa8QAJ0PI3ylKSWhdmSKOkqpNetDOCUbJf99
1YGdUwPPq/GFo4+RqB14iv3n0Zm2QExd8x+DKV2xCq8Mq9E0lzt+ZdGALFqqv05O
HL0PI+AsRZY9aEYCj70WK8vfcTh4STByNk2oDXUArjbDzWojaxZVeDYQfJi7A0hi
OQJemmNg1KQEQYvaTlNB2FAkdVgzraT7dA6d8Bz9+wrH3AcBGLy0HZzHOHgE3hfU
D5ZuyKoVHVcOz/U+gYSiNXlDvG22GWoKYR36NETA0P3Ck+orr7tjQMOVtEiu5C2g
pwT/Wdeze5eestmmq/8IJO2EffiEyQl31iGhBYTAtrgtPuwv5XZzz1b9Ao8RdLWE
SmxZcuKg2xoqylVNxZz/p5WYT0luTmG4iqf08BTh0QB4A0LCoOSU3ajtf6Ih1ld0
A4mWXEYY+jwbfjntIL9Y+6e2/5fkQLjtWJw+fl9UxiZa3cT4ToNntJuPuu50LDaz
1gGZCZ1WzbqFLumnuwtg9fu4ha6+GDebXyRjCDdGJJ76YTQo6mbUaVOYxKBO7Xpc
e7miEVbwgfU1cUboY11f2RNTIdYOswHJzQCbzKKYSMuBIt15m14zciGGZ8iGh5Gn
g6HGPXrIOw/f62KSBkQdemPrqJMEBBDja0/aGs3D+Trgzm5B8ro4diofvoymGls/
3IsSb4UWC/1Q
=BACC
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
sshfs-fuse, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138293@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated sshfs-fuse package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 02 Jun 2026 13:11:01 +0200
Source: sshfs-fuse
Architecture: source
Version: 3.7.3-1.2~deb13u1
Distribution: trixie
Urgency: high
Maintainer: Bartosz Fenski <fenio@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1138293
Changes:
sshfs-fuse (3.7.3-1.2~deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* Rebuild for trixie
.
sshfs-fuse (3.7.3-1.2) unstable; urgency=high
.
* Non-maintainer upload.
* add contain_symlinks option to prevent symlink escape attacks
(CVE-2026-47187) (Closes: #1138293)
* reject hostname option injection via bracketed mount source (CVE-2026-48711)
(Closes: #1138293)
Checksums-Sha1:
6637249c741ed006e2e64e4d163a2c9bad69e80e 2173 sshfs-fuse_3.7.3-1.2~deb13u1.dsc
45dbf84ac6002a2e01b1df06d5bcc38c8daad97e 11936 sshfs-fuse_3.7.3-1.2~deb13u1.debian.tar.xz
5ef7968780bd86df90165e95a87ec36138b5c041 6774 sshfs-fuse_3.7.3-1.2~deb13u1_source.buildinfo
Checksums-Sha256:
57cf5bcdc98c12be7e86c75c13a7f7cb1f0a71215305f94872e92a38a712ac73 2173 sshfs-fuse_3.7.3-1.2~deb13u1.dsc
1c4d33ba1d0c0ea08b3a2289145f900506cc6423141274ae99db1b107ddbb391 11936 sshfs-fuse_3.7.3-1.2~deb13u1.debian.tar.xz
06a34b0db75ec13f333f07a3fc12e6c2fa903aa1e39ba0b9dc182c60dec5f84d 6774 sshfs-fuse_3.7.3-1.2~deb13u1_source.buildinfo
Files:
e34501aa6cb640e426b0edb4ec829ef2 2173 utils optional sshfs-fuse_3.7.3-1.2~deb13u1.dsc
9a8f6ff0592bc12b6181fa0fd7f65a96 11936 utils optional sshfs-fuse_3.7.3-1.2~deb13u1.debian.tar.xz
8f1d84f55f582ec4fe573b634c803313 6774 utils optional sshfs-fuse_3.7.3-1.2~deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoe+UhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EIn0P/RKwPJ9V442gUaiaDlAL3J4fXj/qhHUx
mDdVZzFwQiFve4klqmRN6DB9Hj1g7+MgeAdJS7WtyQKa/Sv0vvCrNRgUuXZt5Pqh
9kC0lq6d2Xi4kHRAEPgxNGOdH2ZiZuzj0lPlNF6nceBuVM6b8KPQE/Ks3/Iu3uUC
ATNUmj2+eg9hr3qjwaTcLFCXwXby74UETkkWNyKAE/kimjlLdTBxZVuhxkN06xj8
8peLVARC6CcETq1rrvoFlwUZZLcFiDGm4TIEPlopSdCoKx4V7zmZlcF5cnkVeArE
deQh78J4wUO6+ygYzSBFVi71U+9KOErMOlM/O87oGFoy584+8IOniNCx5+XMXhHI
nKqQguVZwcM7G89yy3PUr63Rcfn49bIDWiuqpKM4imtmkbHDM8KIs5/hbLJ/HLuu
Lxq6A8Q8z3SUWhmALgPswbg5U0/kwwUmGGH3kyFIaWYlcUqC7x8W4+8AEHSLFTlp
3ZrREcjYYIMcWmWE9axz8AXqf7akAfy82kbfXVBFcIm0lDNnaKihB7tgO9CRx83F
6SIYOrKEvVrYJ+qRyun5wp+t1AJPz0qT1dNmGhhqAsiaB0tC1UNzWRA9z3hOTfHc
hvTF0K3p18+zGNwZlbIiGkhA5/0QAtIMCaU0CMDE2qBVry+NVmSL0NeOeODqDdoq
VEzsySaxz937
=O5iA
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
sshfs-fuse, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138293@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated sshfs-fuse package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 02 Jun 2026 13:13:13 +0200
Source: sshfs-fuse
Architecture: source
Version: 3.7.3-1.2~deb12u1
Distribution: bookworm
Urgency: high
Maintainer: Bartosz Fenski <fenio@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1138293
Changes:
sshfs-fuse (3.7.3-1.2~deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* Rebuild for bookworm
.
sshfs-fuse (3.7.3-1.2) unstable; urgency=high
.
* Non-maintainer upload.
* add contain_symlinks option to prevent symlink escape attacks
(CVE-2026-47187) (Closes: #1138293)
* reject hostname option injection via bracketed mount source (CVE-2026-48711)
(Closes: #1138293)
Checksums-Sha1:
553b3077fe17b508299a8c3b9e7b1bc5f927a198 2173 sshfs-fuse_3.7.3-1.2~deb12u1.dsc
f9356afd30525b95667b126e4dcce7cb3f51ab40 11932 sshfs-fuse_3.7.3-1.2~deb12u1.debian.tar.xz
7f568c90e8cfd90989ce2bcf9683f7c44be67d07 6774 sshfs-fuse_3.7.3-1.2~deb12u1_source.buildinfo
Checksums-Sha256:
40f54667f7b84bb61b2c298eadaab41aecbb3c7ff8a974768d359ab8fe2fc7e0 2173 sshfs-fuse_3.7.3-1.2~deb12u1.dsc
097f7c43a1c36786307a09bee098552fecb736cdb09fa4b0ed40de8f227d15fc 11932 sshfs-fuse_3.7.3-1.2~deb12u1.debian.tar.xz
343e0b2b3d89d71b6322767bf7e9366c56ddeb958071b33118c5fd893cca22b8 6774 sshfs-fuse_3.7.3-1.2~deb12u1_source.buildinfo
Files:
cc2d8e5228119f7a01d715dda6445ce1 2173 utils optional sshfs-fuse_3.7.3-1.2~deb12u1.dsc
1e228a2886618b97042834b7a1bed5fe 11932 utils optional sshfs-fuse_3.7.3-1.2~deb12u1.debian.tar.xz
baa9966dd436628276ab3e9a4540e915 6774 utils optional sshfs-fuse_3.7.3-1.2~deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoe+WdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EE5AP/Ax78AYD+BaBe3BfnyAnToCpePVUC07w
fxIpBSsBeg4Vybjcxz9YmNaBicbx+0nEOqs529LUxW5SQaiILC9KEtAzHPTr1aBw
xCndaCNLMTSXkgpxDvozNuj0gwB+hzs0zrfNnkgbwo1qFBieNNoOUudnV8UiaK4e
+hf1NkbHcb3NN4XmvSo77ee0G6YrtNaBuzFUNERqlBUg2S0XXTvBgbPkar7bJYjG
xezeEFOYhZy0WmgVEVJwxUOhlz1oPU2AF1lwTbU38agKtONqcXUPWKIvEy5qusUd
vSBhea2rU+EoV1TXF3rpBbLF6w83ICrLia25PQMjXHmETT9KbgTMCcaywoVnuxyb
NA8T9UJhD/SSjvDZBFogkmUYOWZKcxcydl6HrJfaA77AvXA9k4rQGqwnOC32dV75
/yaCJxNrF6oRMfdPm1QLXGrz52VRmEEFIE+dIC33BotTTf8jCMpEB3ILKeyY9nPG
S9V4bFGE1EnOih5kufyM3RxnOV9VWHTdJwCFq4vx58bN+dh36bnRoZHBov+n7qm/
yLC6BCXWRTEqJxboRnPuDPqZs9YOLeyrYDr8C+yaWu6piyGRe3+JmVTyrTy92xYz
PP3pBJudbR+yl3vaYZzwdHFov5jkiaorhMKPicd4GJ1WTCcS8muhH88mGxO0TZVp
ZT0C/hBt349R
=b6wA
-----END PGP SIGNATURE-----