Ubuntu alert USN-7206-4 (rsync)
| From: | Sudhakar Verma <sudhakar.verma@canonical.com> | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-7206-4] rsync regression | |
| Date: | Mon, 10 Feb 2025 15:19:31 +0530 | |
| Message-ID: | <aa2b56b4-3dde-43f0-9fbd-727c7df1a61b@canonical.com> |
========================================================================== Ubuntu Security Notice USN-7206-4 February 10, 2025 rsync regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.10 Summary: USN-7206-3 caused some regression in rsync. Software Description: - rsync: fast, versatile, remote (and local) file-copying tool Details: USN-7206-3 fixed vulnerabilities in rsync for Ubuntu 24.10. The update introduced a regression in rsync. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync did not properly handle checksum lengths. An attacker could use this issue to execute arbitrary code. (CVE-2024-12084) Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync compared checksums with uninitialized memory. An attacker could exploit this issue to leak sensitive information. (CVE-2024-12085) Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync incorrectly handled file checksums. A malicious server could use this to expose arbitrary client files. (CVE-2024-12086) Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync mishandled symlinks for some settings. An attacker could exploit this to write files outside the intended directory. (CVE-2024-12087) Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync failed to verify symbolic link destinations for some settings. An attacker could exploit this for path traversal attacks. (CVE-2024-12088) Aleksei Gorban discovered a race condition in rsync's handling of symbolic links. An attacker could use this to access sensitive information or escalate privileges. (CVE-2024-12747) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.10 rsync 3.3.0-1ubuntu0.2 In general, a standard system update will make all the necessary changes. After a standard system update you need to restart rsync daemons if configured to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7206-4 https://ubuntu.com/security/notices/USN-7206-3 https://ubuntu.com/security/notices/USN-7206-2 https://ubuntu.com/security/notices/USN-7206-1 https://launchpad.net/bugs/2096914 Package Information: https://launchpad.net/ubuntu/+source/rsync/3.3.0-1ubuntu0.2
Attachment: OpenPGP_signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- wsF4BAABCAAjFiEEcfvxe+flLQwqLJFE8LYUYLBMS1YFAmepy6sFAwAAAAAACgkQ8LYUYLBMS1bX FQ/49FCfBgDYnAzGQcvD51yxG71v6QnGY5yR80V0PvLd11Vwgdj9tlnR68MbzA6Hmw9r3X40f/mw hVyKmKONgn+CU30ymKsd4g7ep3J4EDDQg+3WZen2UDGhOit4OOUlc2P29QLVTOk4SUd8arWpRFY3 bRtAo/8BcQN+Tx7yyzItjoQ6JjNvstHrmdFDwt8ilWVOTWf/EDIAIi5HU0TEWTyULBFz/PRmjBFS ZqPjk7sntCiG2ZeVFvQWVl3RYbalNq0ziwPwdFcBuJz4O1a4yTDzY7whxSzIitUPRHYjJPHyLQVP FRTRQXZVIcyQUtcW+R4BUJ++9EYV0IOJzlqxQ5snr2k8tM+m5BKGGqeipMP/eSFWdGL5Xsx+cw7U O+cfX8fA5bU6+h0/nkq/fyEL3ZhVdb5IQ6FyLGgQBBs5BzWjcElFiPFz6RpWBoC2Tm1PSVAhmhmQ asFl3viokcbUhTZ3HtPFz28qLM46CsWDOBaho15RsJaJhxYccJ1aEZ50QIbPn4r3GPgtD/R5aLkG qfHuKLjKrKGckmyufI57uaYePnyEXXwsf8WtkAZy+I8Xet7pfOe761TMADMlS4UROxYOuG7epvAW JS4JxpgG+Me9+sCq5+y42t/bZlohwkiBDU35xVvXmC0WhJm43rrSSlo3HgSDCkyMEn87WVZidGPN Tw== =Fg2G -----END PGP SIGNATURE-----
Attachment: None (type=text/plain)