[rsync-announce] rsync security announcement

rsync-announce-admin at lists.samba.org rsync-announce-admin at lists.samba.org
Sat Jan 26 10:53:30 EST 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The rsync program allows users and administrators to synchronize files
and whole directory structures on different machines.  It is common
practise to allow remote users to mirror ftp servers via anonymous
rsync access.  There exist several signedness bugs within the rsync
program which allow remote attackers to write 0-bytes to almost
arbitrary stack-locations, therefore being able to control the program
flow.  These bugs have been fixed.

The rsync maintainers gratefully acknowledge the work of Sebastian
Krahmer and the SuSE security team in discovering and addressing this
problem.

Although this vulnerability is primarily important for people running
rsync daemons, it is not impossible that a malicious rsync server
could use it to attack a client who connects over either ssh or port
873.  All users should upgrade, even if they are not running public
servers.

It is recommended (also stated in the rsync documentation) to use the
"use chroot" and "uid" options in rsyncd's configuration file
(/etc/rsyncd.conf) to limit the impact of a possible attack.  Since
this workaround does not completely solve the security problem, we
recommend upgrading as soon as possible.

Upgraded versions of the rsync development branch, 2.5, and of the
stable branches 2.3 and 2.4 are now available from the samba.org web
site.  In addition, distribution vendors will release updated binary
packages through the regular channels.

GPG detached signature files are present on the server for all new
versions.  To be sure of the origin of a package before installation,
please run the command

  gpg --verify rsync-2.5.2.tar.gz.sig

in the directory containing both the .tar.gz and signature files.

rsync-2.5

  http://rsync.samba.org/ftp/rsync/rsync-2.5.2.tar.gz

rsync-2.4

  http://rsync.samba.org/ftp/rsync/old-versions/rsync-2.4.8.tar.gz

rsync-2.3

  http://rsync.samba.org/ftp/rsync/old-versions/rsync-2.3.3.tar.gz  

- --
Martin Pool
rsync maintainer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8Ue/fPGPKP6Cz6IsRAkvdAKDCOXDK7TebirM5n8ASjsMSZeiDrwCZARKJ
kwtU6Km+POjoWKY/lwI5Gus=
=CcN/
-----END PGP SIGNATURE-----

More information about the rsync-announce mailing list