Slackware alert SSA:2004-124-01 (rsync)
| From: | Slackware Security Team <security@slackware.com> | |
| To: | slackware-security@slackware.com | |
| Subject: | [slackware-security] rsync update (SSA:2004-124-01) | |
| Date: | Mon, 3 May 2004 13:06:08 -0700 (PDT) |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] rsync update (SSA:2004-124-01) New rsync packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a security issue. When running an rsync server without the chroot option it is possible for an attacker to write outside of the allowed directory. Any sites running rsync in that mode should upgrade right away (and should probably look into using the chroot option as well). More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426 Here are the details from the Slackware 9.1 ChangeLog: +--------------------------+ Sun May 2 17:16:41 PDT 2004 patches/packages/rsync-2.6.2-i486-1.tgz: Upgraded to rsync-2.6.2. Rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, allowing remote attackers to write files outside of the module's path. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Updated package for Slackware 8.1: ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/rsync-2.6.2-i386-1.tgz Updated package for Slackware 9.0: ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/rsync-2.6.2-i386-1.tgz Updated package for Slackware 9.1: ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/rsync-2.6.2-i486-1.tgz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/rsync-2.6.2-i486-1.tgz MD5 signatures: +-------------+ Slackware 8.1 package: f7702e872e7816dcb6f9b0ba27c3fb61 rsync-2.6.2-i386-1.tgz Slackware 9.0 package: f6ec19791028f4b355bc16d454031204 rsync-2.6.2-i386-1.tgz Slackware 9.1 package: a42dc11056b37c7ddd94f71e4ce20c74 rsync-2.6.2-i486-1.tgz Slackware -current package: 31eb4e17aea2a32a98d4576fab64ab8b rsync-2.6.2-i486-1.tgz Installation instructions: +------------------------+ If rsync is running as a server, shut it down first. Then, upgrade the packages as root: # upgradepkg rsync-2.6.2-i486-1.tgz Finally, restart the rsync server if needed. +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAlqInakRjwEAQIjMRAn/XAJ9dwBsBV7VuRBPh6kvWyiWf+VGO+wCgkh7l cn6CWFRgo4vQtZYJluLK37o= =VhMB -----END PGP SIGNATURE-----
(Log in to post comments)