Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#39920 - [rsync] rsync 3.1.0 is susceptible to CVE-2014-2855 (DOS vulnerability)
Attached to Project:
Arch Linux
Opened by Noel Kuntze (thermi) - Thursday, 17 April 2014, 12:01 GMT
Last edited by Jan de Groot (JGC) - Monday, 21 April 2014, 17:25 GMT
Opened by Noel Kuntze (thermi) - Thursday, 17 April 2014, 12:01 GMT
Last edited by Jan de Groot (JGC) - Monday, 21 April 2014, 17:25 GMT
|
DetailsDescription: rsync 3.1.0 is susceptible to CVE-2014-2855 (http://seclists.org/oss-sec/2014/q2/113)
and should be patched accordingly. The patch will be integrated in the 3.1.1 release of rsync. The bug is exploitable by providing an invalid username upon authentication to the rsync server, which makes the child process loop infinitely over the credentials file. This can be exploited to attack the server in a DOS fashion. |
This task depends upon