-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : rsync SUMMARY : Remote vulnerability DATE : 2002-01-25 16:31:00 ID : CLA-2002:458 RELEVANT RELEASES : 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0 - ------------------------------------------------------------------------- DESCRIPTION "rsync" is a program used mainly to mirror files between remote sites. Sebastian Krahmer from SuSe did an audit on the rsync source code and found several vulneranilities regarding the use of signed integers. Some variables could receive a negative value, and this was a condition that was not expected by the program. A remote attacker could exploit this to execute commands on the rsync server. SOLUTION It is recommended that all rsync users upgrade their packages. IMPORTANT: please stop all rsync processes before upgrading. This will ensure that no old vulnerable copies will be left running. If rsync is running in daemon mode, it has to be restarted manually after upgrading. If rsync is being started by inetd or xinetd, then no further action is necessary after the upgrade, since these tools will automatically use the upgraded package. DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/rsync-2.4.6-4U50_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/rsync-2.4.6-4U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/rsync-2.4.6-4U51_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/rsync-2.4.6-4U51_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/rsync-2.4.6-4U60_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/rsync-2.4.6-4U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/rsync-2.4.6-4U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/rsync-2.4.6-4U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/rsync-2.4.6-4U50_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/rsync-2.4.6-4U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/rsync-2.4.6-4U50_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/rsync-2.4.6-4U50_1cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates (replace 6.0 with the correct version number if you are not running CL6.0) - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8UaSl42jd0JmAcZARAtkUAKDUH9Sibqz7/qUh668q3d2bBjgz1gCg9CeK 4RrHd0Pm0mc4gMEHkTj9C70= =gd8w -----END PGP SIGNATURE-----
