Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in rsync (Aktualisierung)
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in rsync (Aktualisierung)
ID: USN-7206-4
Distribution: Ubuntu
Plattformen: Ubuntu 24.10
Datum: Mo, 10. Februar 2025, 15:56
Referenzen: https://www.cve.org/CVERecord?id=CVE-2024-12087
https://www.cve.org/CVERecord?id=CVE-2024-12084
https://www.cve.org/CVERecord?id=CVE-2024-12086
https://www.cve.org/CVERecord?id=CVE-2024-12085
https://www.cve.org/CVERecord?id=CVE-2024-12747
https://www.cve.org/CVERecord?id=CVE-2024-12088
Applikationen: rsync
Update von: Mehrere Probleme in rsync

Originalnachricht

 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============5344379959691345501==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------E038TtZgsyskMdQaFalpAR0p"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------E038TtZgsyskMdQaFalpAR0p
Content-Type: multipart/mixed;
 boundary="------------d0qDHGRXwne01ESQsPPNqzGc";
 protected-headers="v1"
From: Sudhakar Verma <sudhakar.verma@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <aa2b56b4-3dde-43f0-9fbd-727c7df1a61b@canonical.com>
Subject: [USN-7206-4] rsync regression

--------------d0qDHGRXwne01ESQsPPNqzGc
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64



==========================================================================
Ubuntu Security Notice USN-7206-4
February 10, 2025

rsync regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10

Summary:

USN-7206-3 caused some regression in rsync.

Software Description:
- rsync: fast, versatile, remote (and local) file-copying tool

Details:

USN-7206-3 fixed vulnerabilities in rsync for Ubuntu 24.10. The update
introduced a regression in rsync. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

  Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
  did not properly handle checksum lengths. An attacker could use this
  issue to execute arbitrary code. (CVE-2024-12084)

  Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
  compared checksums with uninitialized memory. An attacker could exploit
  this issue to leak sensitive information. (CVE-2024-12085)

  Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
  incorrectly handled file checksums. A malicious server could use this
  to expose arbitrary client files. (CVE-2024-12086)

  Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
  mishandled symlinks for some settings. An attacker could exploit this
  to write files outside the intended directory. (CVE-2024-12087)

  Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
  failed to verify symbolic link destinations for some settings. An
  attacker could exploit this for path traversal attacks. (CVE-2024-12088)

  Aleksei Gorban discovered a race condition in rsync's handling of
  symbolic links. An attacker could use this to access sensitive
  information or escalate privileges. (CVE-2024-12747)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
   rsync                           3.3.0-1ubuntu0.2

In general, a standard system update will make all the necessary changes.
After a standard system update you need to restart rsync daemons if
configured to make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7206-4
   https://ubuntu.com/security/notices/USN-7206-3
   https://ubuntu.com/security/notices/USN-7206-2
   https://ubuntu.com/security/notices/USN-7206-1
   https://launchpad.net/bugs/2096914

Package Information:
   https://launchpad.net/ubuntu/+source/rsync/3.3.0-1ubuntu0.2

--------------d0qDHGRXwne01ESQsPPNqzGc--

--------------E038TtZgsyskMdQaFalpAR0p
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsF4BAABCAAjFiEEcfvxe+flLQwqLJFE8LYUYLBMS1YFAmepy6sFAwAAAAAACgkQ8LYUYLBMS1bX
FQ/49FCfBgDYnAzGQcvD51yxG71v6QnGY5yR80V0PvLd11Vwgdj9tlnR68MbzA6Hmw9r3X40f/mw
hVyKmKONgn+CU30ymKsd4g7ep3J4EDDQg+3WZen2UDGhOit4OOUlc2P29QLVTOk4SUd8arWpRFY3
bRtAo/8BcQN+Tx7yyzItjoQ6JjNvstHrmdFDwt8ilWVOTWf/EDIAIi5HU0TEWTyULBFz/PRmjBFS
ZqPjk7sntCiG2ZeVFvQWVl3RYbalNq0ziwPwdFcBuJz4O1a4yTDzY7whxSzIitUPRHYjJPHyLQVP
FRTRQXZVIcyQUtcW+R4BUJ++9EYV0IOJzlqxQ5snr2k8tM+m5BKGGqeipMP/eSFWdGL5Xsx+cw7U
O+cfX8fA5bU6+h0/nkq/fyEL3ZhVdb5IQ6FyLGgQBBs5BzWjcElFiPFz6RpWBoC2Tm1PSVAhmhmQ
asFl3viokcbUhTZ3HtPFz28qLM46CsWDOBaho15RsJaJhxYccJ1aEZ50QIbPn4r3GPgtD/R5aLkG
qfHuKLjKrKGckmyufI57uaYePnyEXXwsf8WtkAZy+I8Xet7pfOe761TMADMlS4UROxYOuG7epvAW
JS4JxpgG+Me9+sCq5+y42t/bZlohwkiBDU35xVvXmC0WhJm43rrSSlo3HgSDCkyMEn87WVZidGPN
Tw==
=Fg2G
-----END PGP SIGNATURE-----

--------------E038TtZgsyskMdQaFalpAR0p--


--===============5344379959691345501==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============5344379959691345501==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung