[Systems] [Fwd: [USN-1124-1] rsync vulnerability]

Stefan Unterhauser stefan at unterhauser.name
Wed Apr 27 18:27:23 EDT 2011


:) that s a cool exploit ...

On Wed, Apr 27, 2011 at 4:12 PM, Bernie Innocenti <bernie at codewiz.org> wrote:
> Heads up, everyone! This one seems serious if you're rsyncing from
> untrusted remotes.
>
> -------- Forwarded Message --------
> From: Marc Deslauriers <marc.deslauriers at canonical.com>
> Reply-to: ubuntu-users at lists.ubuntu.com, Ubuntu Security
> <security at ubuntu.com>
> To: ubuntu-security-announce at lists.ubuntu.com
> Cc: full-disclosure at lists.grok.org.uk, bugtraq at securityfocus.com
> Subject: [USN-1124-1] rsync vulnerability
> Date: Wed, 27 Apr 2011 11:39:14 -0400
>
> ==========================================================================
> Ubuntu Security Notice USN-1124-1
> April 27, 2011
>
> rsync vulnerability
> ==========================================================================
>
> A security issue affects these releases of Ubuntu and its derivatives:
>
> - Ubuntu 10.10
> - Ubuntu 10.04 LTS
> - Ubuntu 9.10
>
> Summary:
>
> rsync could be made to crash or run programs as your login if it connected
> to a malicious server.
>
> Software Description:
> - rsync: fast remote file copy program (like rcp)
>
> Details:
>
> It was discovered that rsync incorrectly handled memory when certain
> recursion, deletion and ownership options were used. If a user were tricked
> into connecting to a malicious server, a remote attacker could cause a
> denial of service or execute arbitrary code with privileges of the user
> invoking the program.
>
> Update instructions:
>
> The problem can be corrected by updating your system to the following
> package versions:
>
> Ubuntu 10.10:
>  rsync                           3.0.7-2ubuntu1.1
>
> Ubuntu 10.04 LTS:
>  rsync                           3.0.7-1ubuntu1.1
>
> Ubuntu 9.10:
>  rsync                           3.0.6-1ubuntu1.1
>
> In general, a standard system update will make all the necessary changes.
>
> References:
>  CVE-2011-1097
>
> Package Information:
>  https://launchpad.net/ubuntu/+source/rsync/3.0.7-2ubuntu1.1
>  https://launchpad.net/ubuntu/+source/rsync/3.0.7-1ubuntu1.1
>  https://launchpad.net/ubuntu/+source/rsync/3.0.6-1ubuntu1.1
>
>
> --
> ubuntu-security-announce mailing list
> ubuntu-security-announce at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
>
> --
>  _ // Bernie Innocenti
>  \X/  http://codewiz.org
>
> _______________________________________________
> Systems mailing list
> Systems at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/systems
>


More information about the Systems mailing list