Sicherheit: Zwei Probleme in rsync

Lesezeichen hinzufügen

--===============7768983555371382659==
Content-Type: multipart/signed; micalg="pgp-sha256";
protocol="application/pgp-signature";
boundary="=-r/TZ2WM2A6tyDs8eKwMM"

--=-r/TZ2WM2A6tyDs8eKwMM
Content-Type: text/plain; charset="UTF-8
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-3506-1
December 07, 2017

rsync vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in rsync.

Software Description:
- rsync: fast, versatile, remote (and local) file-copying tool

Details:

It was discovered that rsync proceeds with certain file metadata
updates before checking for a filename. An attacker could use this to
bypass access restrictions. (CVE-2017-17433)

It was discovered that rsync does not check for fnamecmp filenames and
also does not apply the sanitize_paths protection mechanism to
pathnames. An attacker could use this to bypass access restrictions.
(CVE-2017-17434)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
rsync 3.1.2-2ubuntu0.1

Ubuntu 17.04:
rsync 3.1.2-1ubuntu0.1

Ubuntu 16.04 LTS:
rsync 3.1.1-3ubuntu1.1

Ubuntu 14.04 LTS:
rsync 3.1.0-2ubuntu0.3

In general, a standard system update will make all the necessary
changes.

References:
https://www.ubuntu.com/usn/usn-3506-1
CVE-2017-17433, CVE-2017-17434

Package Information:
https://launchpad.net/ubuntu/+source/rsync/3.1.2-2ubuntu0.1
https://launchpad.net/ubuntu/+source/rsync/3.1.2-1ubuntu0.1
https://launchpad.net/ubuntu/+source/rsync/3.1.1-3ubuntu1.1
https://launchpad.net/ubuntu/+source/rsync/3.1.0-2ubuntu0.3

--=-r/TZ2WM2A6tyDs8eKwMM
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAABCAAGBQJaKUNwAAoJEEW851uECx9ptrYP/imwpsEizACWfIkgFSVSFTQ3
QaZ+sVed7w3bzuM4PHFhMFQR7jOWdZMQVXMnZOZThZkflITgnaGx8+eZjO4RR9SB
oMpI0QDW+vhaXKqvIxCBHu1w8S5aBah0WzYnKFb9RVSMkzB4EtxUwjnk9hGABzY7
OpqrHnQ5nIdMA7+aV+E0htALjtDH73p3aYutcZz3qqrr5WKjBJPiBJPBH0rfAdxE
aoCI5Tv6LiY6VSoTHYOMdNFW0TlRMu7tC/UKqJbQ2Lcj59VqNSMQ1koszWcwcg0+
nRTQ1YTi8ZYB9hHBNvMtW1JrT3h6MLGIE0HW56/YGTv5esTCJpQfNg06JPtaIvsC
/gOVpK6AigXWg7HAks4HyJcZzvhNZCYKYlxeR0eq3HnR/rWOnrVIDp3qnPiNUX0Z
08f9lxFXIyC5L9EnwAVF/VNoWAtMnJpYSl+g+NXqyNgRCn+3/KNXd7d6oFrbXBO8
T8vSV/ZBKHy5Zd7HEXMQeF6sl5N3dEud1zJ3d6t6aPHK7elhwTPfE/6zgz9AEZBb
na1lioZ3FPOS8SHvpIFUvgrcvFPwkVQvuRJX3QHUSDO3fK9GJTbo6FTs+5Dlz1H9
RSovM2bk1h7DovXbNPZ5zNtNr3WiUWWsWMPZ42/PIVLVNAK6Ld3CXRz8Jc0n3SvM
xaSbiq6guasRlP9QGvLR
=0Y32
-----END PGP SIGNATURE-----

--=-r/TZ2WM2A6tyDs8eKwMM--

--===============7768983555371382659==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

--===============7768983555371382659==--