-----BEGIN PGP SIGNATURE-----
wsF4BAABCAAjFiEEcfvxe+flLQwqLJFE8LYUYLBMS1YFAmepy6sFAwAAAAAACgkQ8LYUYLBMS1bX
FQ/49FCfBgDYnAzGQcvD51yxG71v6QnGY5yR80V0PvLd11Vwgdj9tlnR68MbzA6Hmw9r3X40f/mw
hVyKmKONgn+CU30ymKsd4g7ep3J4EDDQg+3WZen2UDGhOit4OOUlc2P29QLVTOk4SUd8arWpRFY3
bRtAo/8BcQN+Tx7yyzItjoQ6JjNvstHrmdFDwt8ilWVOTWf/EDIAIi5HU0TEWTyULBFz/PRmjBFS
ZqPjk7sntCiG2ZeVFvQWVl3RYbalNq0ziwPwdFcBuJz4O1a4yTDzY7whxSzIitUPRHYjJPHyLQVP
FRTRQXZVIcyQUtcW+R4BUJ++9EYV0IOJzlqxQ5snr2k8tM+m5BKGGqeipMP/eSFWdGL5Xsx+cw7U
O+cfX8fA5bU6+h0/nkq/fyEL3ZhVdb5IQ6FyLGgQBBs5BzWjcElFiPFz6RpWBoC2Tm1PSVAhmhmQ
asFl3viokcbUhTZ3HtPFz28qLM46CsWDOBaho15RsJaJhxYccJ1aEZ50QIbPn4r3GPgtD/R5aLkG
qfHuKLjKrKGckmyufI57uaYePnyEXXwsf8WtkAZy+I8Xet7pfOe761TMADMlS4UROxYOuG7epvAW
JS4JxpgG+Me9+sCq5+y42t/bZlohwkiBDU35xVvXmC0WhJm43rrSSlo3HgSDCkyMEn87WVZidGPN
Tw==
=Fg2G
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7206-4
February 10, 2025
rsync regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
Summary:
USN-7206-3 caused some regression in rsync.
Software Description:
- rsync: fast, versatile, remote (and local) file-copying tool
Details:
USN-7206-3 fixed vulnerabilities in rsync for Ubuntu 24.10. The update
introduced a regression in rsync. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
did not properly handle checksum lengths. An attacker could use this
issue to execute arbitrary code. (CVE-2024-12084)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
compared checksums with uninitialized memory. An attacker could exploit
this issue to leak sensitive information. (CVE-2024-12085)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
incorrectly handled file checksums. A malicious server could use this
to expose arbitrary client files. (CVE-2024-12086)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
mishandled symlinks for some settings. An attacker could exploit this
to write files outside the intended directory. (CVE-2024-12087)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
failed to verify symbolic link destinations for some settings. An
attacker could exploit this for path traversal attacks. (CVE-2024-12088)
Aleksei Gorban discovered a race condition in rsync's handling of
symbolic links. An attacker could use this to access sensitive
information or escalate privileges. (CVE-2024-12747)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
rsync 3.3.0-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
After a standard system update you need to restart rsync daemons if
configured to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7206-4
https://ubuntu.com/security/notices/USN-7206-3
https://ubuntu.com/security/notices/USN-7206-2
https://ubuntu.com/security/notices/USN-7206-1
https://launchpad.net/bugs/2096914
Package Information:
https://launchpad.net/ubuntu/+source/rsync/3.3.0-1ubuntu0.2
No comments:
Post a Comment