dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


tinysofa Advisory: rsync

Aug 17, 2004, 16:44 (0 Talkback[s])

tinysofa Security Advisory #2004-020

Package Name: rsync
Summary: Exposure of System Information
Advisory ID: TSSA-2004-020-ES
Date: 2004-08-16

Affected Products: tinysofa enterprise server 2.0

Description

rsync [0] is a program for synchronizing files over a network.

A vulnerability [1] has been reported in rsync, which potentially can be exploited by malicious users to read or write arbitrary files on a vulnerable system.

The vulnerability is caused due to an input validation error within the "sanitize_path()" function of the "util.c" file.

Successful exploitation requires that the rsync daemon isn't running chrooted.

The vulnerability affects version 2.6.2 and prior.

Resolution

The rsync package has been updated to address this vulnerability.

References


[0] http://samba.org/rsync/
[1] http://samba.org/rsync/#security_aug04 =20

Recommended Action

We recommend that all systems with these packages installed be upgraded.

Location

All tinysofa updates are available from
<URI:http://http.tinysofa.org/pub/tinysofa/updates/>
<URI:ftp://ftp.tinysofa.org/pub/tinysofa/updates/>

Automatic Updates

Users of the APT tool can enjoy having updates automatically installed using 'apt-get upgrade'.

Questions?

Check out our mailing lists:
<URI:http://www.tinysofa.org/communicate/>

Verification

This advisory is signed with the tinysofa security sign key.
This key is available from:
<URI:http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xAEDCBB4B>

All tinysofa packages are signed with the tinysofa stable sign key.
This key is available from:
<URI:http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x0F1240A2>

The advisory is available from the tinysofa errata database at
<URI:http://www.tinysofa.org/support/errata/>
or directly at
<URI:http://www.tinysofa.org/support/errata/2004/020.html>

Updated Packages

SRPMS

606db14378c661b0b5ce1bbb3cd87d52 rsync-2.6.2-2ts.src.rpm

i386

7d8ea97c366ae496d266b168c9c172ca rsync-2.6.2-2ts.i386.rpm

--
tinysofa Security Team <security at tinysofa dot org>