Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Conectiva Linux Security Announcement: rsync

Jan 25, 2002, 21:46 (2 Talkback[s])
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : rsync
SUMMARY   : Remote vulnerability
DATE      : 2002-01-25 16:31:00
ID        : CLA-2002:458
RELEVANT
RELEASES  : 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0

- -------------------------------------------------------------------------

DESCRIPTION
 "rsync" is a program used mainly to mirror files between remote
 sites.
 
 Sebastian Krahmer from SuSe did an audit on the rsync source code and
 found several vulneranilities regarding the use of signed integers.
 Some variables could receive a negative value, and this was a
 condition that was not expected by the program. A remote attacker
 could exploit this to execute commands on the rsync server.


SOLUTION
 It is recommended that all rsync users upgrade their packages.
 
 IMPORTANT: please stop all rsync processes before upgrading. This
 will ensure that no old vulnerable copies will be left running. If
 rsync is running in daemon mode, it has to be restarted manually
 after upgrading.
 If rsync is being started by inetd or xinetd, then no further action
 is necessary after the upgrade, since these tools will automatically
 use the upgraded package.


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/rsync-2.4.6-4U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/rsync-2.4.6-4U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/rsync-2.4.6-4U51_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/rsync-2.4.6-4U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/rsync-2.4.6-4U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/rsync-2.4.6-4U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/rsync-2.4.6-4U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/rsync-2.4.6-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/rsync-2.4.6-4U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/rsync-2.4.6-4U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/rsync-2.4.6-4U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/rsync-2.4.6-4U50_1cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br