Date: Mon, 3 May 2004 13:06:08 -0700 (PDT)
From: Slackware Security Team <[email protected]>
To: [email protected]Subject: [slackware-security] rsync update (SSA:2004-124-01)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] rsync update (SSA:2004-124-01)
New rsync packages are available for Slackware 8.1, 9.0, 9.1, and -current to
fix a security issue. When running an rsync server without the chroot option
it is possible for an attacker to write outside of the allowed directory.
Any sites running rsync in that mode should upgrade right away (and should
probably look into using the chroot option as well).
More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426
Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Sun May 2 17:16:41 PDT 2004
patches/packages/rsync-2.6.2-i486-1.tgz: Upgraded to rsync-2.6.2.
Rsync before 2.6.1 does not properly sanitize paths when running a
read/write daemon without using chroot, allowing remote attackers to
write files outside of the module's path.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/rsync-2.6.2-i386-1.tgz
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/rsync-2.6.2-i386-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/rsync-2.6.2-i486-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/rsync-2.6.2-i486-1.tgz
MD5 signatures:
+-------------+
Slackware 8.1 package:
f7702e872e7816dcb6f9b0ba27c3fb61 rsync-2.6.2-i386-1.tgz
Slackware 9.0 package:
f6ec19791028f4b355bc16d454031204 rsync-2.6.2-i386-1.tgz
Slackware 9.1 package:
a42dc11056b37c7ddd94f71e4ce20c74 rsync-2.6.2-i486-1.tgz
Slackware -current package:
31eb4e17aea2a32a98d4576fab64ab8b rsync-2.6.2-i486-1.tgz
Installation instructions:
+------------------------+
If rsync is running as a server, shut it down first.
Then, upgrade the packages as root:
# upgradepkg rsync-2.6.2-i486-1.tgz
Finally, restart the rsync server if needed.
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key[email protected]
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to [email protected] with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAlqInakRjwEAQIjMRAn/XAJ9dwBsBV7VuRBPh6kvWyiWf+VGO+wCgkh7l
cn6CWFRgo4vQtZYJluLK37o=
=VhMB
-----END PGP SIGNATURE-----