FS#39920 : [rsync] rsync 3.1.0 is susceptible to CVE-2014-2855 (DOS vulnerability)

FS#39920 - [rsync] rsync 3.1.0 is susceptible to CVE-2014-2855 (DOS vulnerability)

Attached to Project: Arch Linux
Opened by Noel Kuntze (thermi) - Thursday, 17 April 2014, 12:01 GMT
Last edited by Jan de Groot (JGC) - Monday, 21 April 2014, 17:25 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Pierre Schmitz (Pierre)
Architecture	All
Severity	Critical
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description: rsync 3.1.0 is susceptible to CVE-2014-2855 (http://seclists.org/oss-sec/2014/q2/113)
and should be patched accordingly. The patch will be integrated in the 3.1.1 release of rsync.

The bug is exploitable by providing an invalid username upon authentication to the rsync server, which makes the child process loop infinitely over the credentials file.
This can be exploited to attack the server in a DOS fashion.

This task depends upon

Closed by Jan de Groot (JGC)
Monday, 21 April 2014, 17:25 GMT
Reason for closing: Fixed

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#39920 - [rsync] rsync 3.1.0 is susceptible to CVE-2014-2855 (DOS vulnerability)

Details

Loading...