Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in rsync
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in rsync
ID: USN-7206-1
Distribution: Ubuntu
Plattformen: Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS
Datum: Mi, 15. Januar 2025, 06:39
Referenzen: https://www.cve.org/CVERecord?id=CVE-2024-12086
https://www.cve.org/CVERecord?id=CVE-2024-12088
https://www.cve.org/CVERecord?id=CVE-2024-12085
https://www.cve.org/CVERecord?id=CVE-2024-12087
https://www.cve.org/CVERecord?id=CVE-2024-12084
https://www.cve.org/CVERecord?id=CVE-2024-12747
Applikationen: rsync

Originalnachricht

 

--===============1208664284774355481==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature";
 boundary="MguFzkAVpGSyuJP3"
Content-Disposition: inline


--MguFzkAVpGSyuJP3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

==========================================================================
Ubuntu Security Notice USN-7206-1
January 14, 2025

Several security issues were fixed in rsync
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in rsync.

Software Description:
- rsync: fast, versatile, remote (and local) file-copying tool

Details:

Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
did not properly handle checksum lengths. An attacker could use this
issue to execute arbitrary code. (CVE-2024-12084)

Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
compared checksums with uninitialized memory. An attacker could exploit
this issue to leak sensitive information. (CVE-2024-12085)

Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
incorrectly handled file checksums. A malicious server could use this
to expose arbitrary client files. (CVE-2024-12086)

Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
mishandled symlinks for some settings. An attacker could exploit this
to write files outside the intended directory. (CVE-2024-12087)

Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
failed to verify symbolic link destinations for some settings. An
attacker could exploit this for path traversal attacks. (CVE-2024-12088)

Aleksei Gorban discovered a race condition in rsync's handling of
symbolic links. An attacker could use this to access sensitive
information or escalate privileges. (CVE-2024-12747)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  rsync                           3.2.7-1ubuntu1.1

Ubuntu 22.04 LTS
  rsync                           3.2.7-0ubuntu0.22.04.3

Ubuntu 20.04 LTS
  rsync                           3.1.3-8ubuntu0.8

Ubuntu 18.04 LTS
  rsync                           3.1.2-2.1ubuntu1.6+esm1
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  rsync                           3.1.1-3ubuntu1.3+esm3
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS
  rsync                           3.1.0-2ubuntu0.4+esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.
After a standard system update you need to restart rsync daemons if
configured to make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7206-1
  CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087,
  CVE-2024-12088, CVE-2024-12747

Package Information:
  https://launchpad.net/ubuntu/+source/rsync/3.2.7-1ubuntu1.1
  https://launchpad.net/ubuntu/+source/rsync/3.2.7-0ubuntu0.22.04.3
  https://launchpad.net/ubuntu/+source/rsync/3.1.3-8ubuntu0.8


--MguFzkAVpGSyuJP3
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE0ZC278nRi4l3b3GjszvZgG6FIMYFAmeG9ykACgkQszvZgG6F
IMYSJg/+JqArZLY/FQLWXkaEB51m7J4XdczoPdbUpSJa/Rtv95DIsKBx0X/IwNv3
w2HmLFj1OFmjRwYr9Trw0VMmWkQMJG9VgS7h+Rw8g1dVC/wklwBogimWJyV9NYDI
jW+cqXWy/rNIY0wZHQUVhHoiyk8nfEB/eMoOxNAinqkCwqLvi15XOqUKI5v5gmuR
WTYBncByIJwWjPn3aUuO4WXG3DjBkjcaeUDHdHN5gg4OdjybQkq95B/lSXunYrJ7
SWOCpmLYMUt8hk6tarRPviijebI1CCTCKXqqLPjy8gVt8/sBNrZNpLBixm3+fC1P
uv7Pvy/boFcthGa0TvFfm+H52Vxz0V2NMB1Cwg21qoKaVfcsI8Kv9C5wlpFPVu4p
FKPZVrAC4ghYlLkEdo1BKxkemEIU7VBg4+u6vm4RDG9eXOfP4iZ6vLlZMrsOMnaQ
FkvCj6HYJhaNwjTSH+IWUJM7nfHYkDuaC6Hx5udY769XyFRsktjtA89bcFSVNI6B
gnqCtAtGI9pNbPgWEQ/mjG79nfzBt/DGgMudVWpsd0mI0MkX1LYXkBUXFRETmi3w
Op+yyD8nWQ8rQUwPnhuYaC/lLoYZDoFWbxhwKyjVPPh43hTigFYw7ti6JWrlvv3c
yz7bniGN2vS4VYSY5Qu7+4v9hFEA+nScf2toV6jdMHkik7tKI/o=
=T0ju
-----END PGP SIGNATURE-----

--MguFzkAVpGSyuJP3--


--===============1208664284774355481==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline


--===============1208664284774355481==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung