Circa 2002-Jan-25 16:33:00 -0500 dixit bugzillaat_private: : --------------------------------------------------------------------- : Red Hat, Inc. Red Hat Security Advisory : : Synopsis: New rsync packages available : Advisory ID: RHSA-2002:018-05 : Issue date: 2002-01-23 : Updated on: 2002-01-25 : Product: Red Hat Linux : Keywords: rsync signed unsigned daemon : Cross references: : Obsoletes: : --------------------------------------------------------------------- : : 1. Topic: : : New rsync packages are available; these fix a remotely exploitable problem : in the I/O functions. [...] : rsync is a powerful tool used for mirroring directory structures across : machines. rsync has been found to contain several signed/unsigned bugs in : its I/O functions which are remotely exploitable. A remote user can crash : the rsync server/client and execute code as the user running the rsync : server or client. : : The Common Vulnerabilities and Exposures project (cve.mitre.org) has : assigned the name CAN-2002-0048 to this issue. I can't seem to find any information about this issue at cve.mitre.org; it simply says: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. I've seen at least three announcements about rsync from different Linux distribution vendors, but no information at all about what versions are actually vulnerable, or when the vulnerability was discovered (or fixed). For folks who have actually moved beyond vendor-supplied point-and-drool packages of rsync, there's a need for actual real information about what versions of rsync are vulnerable and what the fix is. Hence, this news from http://rsync.samba.org/: rsync 2.5.2 The latest version of rsync is version 2.5.2. This version includes the following changes: rsync 2.5.2 (26 Jan 2002) SECURITY FIXES: * Signedness security patch from Sebastian Krahmer -- in some cases we were not sufficiently careful about reading integers from the network. Further information is at http://rsync.samba.org/. I find it tiring that vendors neglect to disclose this sort of information in their public announcements. A simple statement such as "Plain-vanilla versions of rsync less than 2.5.2 are vulnerable. However, we've backported the fix to our sparkling new package of rsync-2.4.6. Customers who use our Strawberry Linux Forever distribution should upgrade to our packages, listed below: ...." That sort of information helps everyone. -- jim knoble | jmknobleat_private | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 11:00:41 PST