7899967 2002-01-27 04:45 -0500 /84 rader/ Jim Knoble <jmknoble@pobox.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-28 20:04 av Brevbäraren
Extern mottagare: redhat-watch-list@redhat.com
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20702>
Kommentar till text 7886542 av <bugzilla@redhat.com>
Extra kopia: David Lundberg, Matrix Consult AB, Ad Hoc'ed <432>
Sänt: 2002-01-28 20:08
Sänt av Peter Lundqvist (disjunkt)
Ärende: rsync-2.5.2 has security fix (was: Re: [RHSA-2002:018-05] New rsync packages available)
------------------------------------------------------------
From: Jim Knoble <jmknoble@pobox.com>
To: redhat-watch-list@redhat.com, bugtraq@securityfocus.com
Message-ID: <20020127044541.D1997@quipu.half.pint-stowp.cx>
Circa 2002-Jan-25 16:33:00 -0500 dixit bugzilla@redhat.com:
: ---------------------------------------------------------------------
: Red Hat, Inc. Red Hat Security Advisory
:
: Synopsis: New rsync packages available
: Advisory ID: RHSA-2002:018-05
: Issue date: 2002-01-23
: Updated on: 2002-01-25
: Product: Red Hat Linux
: Keywords: rsync signed unsigned daemon
: Cross references:
: Obsoletes:
: ---------------------------------------------------------------------
:
: 1. Topic:
:
: New rsync packages are available; these fix a remotely exploitable problem
: in the I/O functions.
[...]
: rsync is a powerful tool used for mirroring directory structures across
: machines. rsync has been found to contain several signed/unsigned bugs in
: its I/O functions which are remotely exploitable. A remote user can crash
: the rsync server/client and execute code as the user running the rsync
: server or client.
:
: The Common Vulnerabilities and Exposures project (cve.mitre.org) has
: assigned the name CAN-2002-0048 to this issue.
I can't seem to find any information about this issue at
cve.mitre.org; it simply says:
** RESERVED ** This candidate has been reserved by an organization
or individual that will use it when announcing a new security
problem. When the candidate has been publicized, the details for
this candidate will be provided.
I've seen at least three announcements about rsync from different
Linux distribution vendors, but no information at all about what
versions are actually vulnerable, or when the vulnerability was
discovered (or fixed).
For folks who have actually moved beyond vendor-supplied
point-and-drool packages of rsync, there's a need for actual real
information about what versions of rsync are vulnerable and what the
fix is.
Hence, this news from http://rsync.samba.org/:
rsync 2.5.2
The latest version of rsync is version 2.5.2.
This version includes the following changes:
rsync 2.5.2 (26 Jan 2002)
SECURITY FIXES:
* Signedness security patch from Sebastian Krahmer
-- in some cases we were not sufficiently
careful about reading integers from the network.
Further information is at http://rsync.samba.org/.
I find it tiring that vendors neglect to disclose this sort of
information in their public announcements. A simple statement such as
"Plain-vanilla versions of rsync less than 2.5.2 are vulnerable.
However, we've backported the fix to our sparkling new package of
rsync-2.4.6. Customers who use our Strawberry Linux Forever
distribution should upgrade to our packages, listed below: ...."
That sort of information helps everyone.
--
jim knoble | jmknoble@pobox.com | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
(7899967) /Jim Knoble <jmknoble@pobox.com>/(Ombruten)
Bilaga (application/pgp-signature) i text 7899968
7899968 2002-01-27 04:45 -0500 /10 rader/ Jim Knoble <jmknoble@pobox.com>
Importerad: 2002-01-28 20:04 av Brevbäraren
Extern mottagare: redhat-watch-list@redhat.com
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20703>
Bilaga (text/plain) till text 7899967
Ärende: Bilaga till: rsync-2.5.2 has security fix (was: Re: [RHSA-2002:018-05] New rsync packages available)
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (Linux)
Comment: finger jmknoble@pobox.com for GnuPG public key
iEYEARECAAYFAjxTzEUACgkQKJ/qqBOBFJE/uwCgiLOdl2miNYGZNS+OZUsFQ1+l
zJIAn14Gb2X7Q3Mr41CH943NoZxQkSi5
=sbN/
-----END PGP SIGNATURE-----
(7899968) /Jim Knoble <jmknoble@pobox.com>/---------