lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0405031305440.16889@bob.slackware.com>
Date: Mon, 3 May 2004 13:06:08 -0700 (PDT)
From: Slackware Security Team <security@...ckware.com>
To: slackware-security@...ckware.com
Subject: [slackware-security]  rsync update (SSA:2004-124-01)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  rsync update (SSA:2004-124-01)

New rsync packages are available for Slackware 8.1, 9.0, 9.1, and -current to
fix a security issue.  When running an rsync server without the chroot option
it is possible for an attacker to write outside of the allowed directory.
Any sites running rsync in that mode should upgrade right away (and should
probably look into using the chroot option as well).

More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426

Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Sun May  2 17:16:41 PDT 2004
patches/packages/rsync-2.6.2-i486-1.tgz:  Upgraded to rsync-2.6.2.
  Rsync before 2.6.1 does not properly sanitize paths when running a
  read/write daemon without using chroot, allowing remote attackers to
  write files outside of the module's path.
  For more details, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/rsync-2.6.2-i386-1.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/rsync-2.6.2-i386-1.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/rsync-2.6.2-i486-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/rsync-2.6.2-i486-1.tgz


MD5 signatures:
+-------------+

Slackware 8.1 package:
f7702e872e7816dcb6f9b0ba27c3fb61  rsync-2.6.2-i386-1.tgz

Slackware 9.0 package:
f6ec19791028f4b355bc16d454031204  rsync-2.6.2-i386-1.tgz

Slackware 9.1 package:
a42dc11056b37c7ddd94f71e4ce20c74  rsync-2.6.2-i486-1.tgz

Slackware -current package:
31eb4e17aea2a32a98d4576fab64ab8b  rsync-2.6.2-i486-1.tgz


Installation instructions:
+------------------------+

If rsync is running as a server, shut it down first.

Then, upgrade the packages as root:
# upgradepkg rsync-2.6.2-i486-1.tgz

Finally, restart the rsync server if needed.


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@...ckware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@...ckware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAlqInakRjwEAQIjMRAn/XAJ9dwBsBV7VuRBPh6kvWyiWf+VGO+wCgkh7l
cn6CWFRgo4vQtZYJluLK37o=
=VhMB
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ