Stephane Chazelas discovered that directory traversal issue in locale handling in glibc. glibc accepts relative paths with ".." components in the LC_* and LANG variables. Together with typical OpenSSH configurations (with suitable AcceptEnv settings in sshd_config), this could conceivably be used to bypass ForceCommand restrictions (or restricted shells), assuming the attacker has sufficient level of access to a file system location on the host to create crafted locale definitions there. Bug report: https://sourceware.org/bugzilla/show_bug.cgi?id=17137 Git commits: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d183645616b Related alloca hardening (technically not covered by the CVE assignment) https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4e8f95a0df7 Actual fix https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=58536726692 Documentation updates (To backport the new test in a reliable fashion, you need to tweak the Makefile to set the LOCPATH environment variable.)