rsync security advisory

Paul Slootman paul at debian.org
Fri Dec 5 02:47:56 EST 2003


On Thu 04 Dec 2003, Paul Haas wrote:
> > On Thu 04 Dec 2003, Martin Pool wrote:
> > >
> > >  - rsync version 2.5.6 contains a heap overflow vulnerability that can
> > >    be used to remotely run arbitrary code.
> >
> > Is this specific to 2.5.6, or are earlier versions also vulnerable?
> > Important detail, as it makes the difference between needing to upgrade
> > older rsync's as well, or only those that are 2.5.6...  As Debian
> > provides security patches for the stable release (which contains rsync
> > 2.5.5), I'm wondering whether an update for that is necessary.
> 
> Sure looks necessary to me.

Thanks.

The Debian security team are working on a fixed 2.5.5 for "stable" now.
In fact, it's done, but needs to be built on all the architectures that
Debian supports before an announcement can go out.

I've also built 2.5.7 for unstable/testing, but as at this time nothing
is being installed into the archives (due to the earlier compromise),
it won't be available for at least a couple of days :-(  In the
meantime, interested parties may download
http://www.wurtel.cistron.nl/rsync_2.5.7-1_i386.deb
(md5sum 985e720f7502c2df9685a2202d36692d) and install that with dpkg -i
taking into account its dependencies:
libc6 (>= 2.3.2.ds1-4), libpopt0 (>= 1.7)


Paul Slootman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/rsync/attachments/20031204/1be94704/attachment.bin


More information about the rsync mailing list