[CLA-2002:458] Conectiva Linux Security Announcement - rsync

From: secure@conectiva.com.br
Date: 01/25/02

Previous message: Sebastian Krahmer: "SuSE Security Announcement: rsync (SuSE-SA:2002:004)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 25 Jan 2002 16:32:06 -0200
To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com
From: secure@conectiva.com.br

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE : rsync
SUMMARY : Remote vulnerability
DATE : 2002-01-25 16:31:00
ID : CLA-2002:458
RELEVANT
RELEASES : 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0

- -------------------------------------------------------------------------

DESCRIPTION
"rsync" is a program used mainly to mirror files between remote
sites.

Sebastian Krahmer from SuSe did an audit on the rsync source code and
found several vulneranilities regarding the use of signed integers.
Some variables could receive a negative value, and this was a
condition that was not expected by the program. A remote attacker
could exploit this to execute commands on the rsync server.

SOLUTION
It is recommended that all rsync users upgrade their packages.

IMPORTANT: please stop all rsync processes before upgrading. This
will ensure that no old vulnerable copies will be left running. If
rsync is running in daemon mode, it has to be restarted manually
after upgrading.
If rsync is being started by inetd or xinetd, then no further action
is necessary after the upgrade, since these tools will automatically
use the upgraded package.

ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):

rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

- run: apt-get update
- after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8UaSl42jd0JmAcZARAtkUAKDUH9Sibqz7/qUh668q3d2bBjgz1gCg9CeK
4RrHd0Pm0mc4gMEHkTj9C70=
=gd8w
-----END PGP SIGNATURE-----

Previous message: Sebastian Krahmer: "SuSE Security Announcement: rsync (SuSE-SA:2002:004)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[CLA-2004:881] Conectiva Security Announcement - rsync
... PACKAGE: rsync ... It is recommended that all rsync users upgrade their packages. ... Detailed instructions regarding the use of apt and upgrade examples ...
(Bugtraq)
[Full-Disclosure] SUSE Security Announcement: rsync (SuSE-SA:2003:050)
... In most private networks the rsync client tool is used via SSH to fulfill ... In an open environment rsync is run in server mode accepting ... after December 15th 2003 will not be fixed any more for SuSE Linux ... New KDE packages are currently being tested. ...
(Full-Disclosure)
SUSE Security Announcement: rsync (SuSE-SA:2003:050)
... In most private networks the rsync client tool is used via SSH to fulfill ... In an open environment rsync is run in server mode accepting ... after December 15th 2003 will not be fixed any more for SuSE Linux ... New KDE packages are currently being tested. ...
(Bugtraq)
[CLA-2003:794] Conectiva Security Announcement - rsync
... rsync versions prior to 2.5.7 have a heap buffer overflow ... This vulnerability specially affects installations where rsync is ... It is recommended that all rsync users upgrade their packages. ... Detailed instructions reagarding the use of apt and upgrade examples ...
(Bugtraq)
[RHSA-2002:018-05] New rsync packages available
... New rsync packages are available; these fix a remotely exploitable problem ... where is a list of the RPMs you wish to upgrade. ... Please note that this update is also available via Red Hat Network. ...
(Bugtraq)