FS#57111 - [rsync] CVEs 2017-16548, 2017-17433 and 2017-17434
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Tuesday, 16 January 2018, 11:59 GMT
Last edited by Christian Hesse (eworm) - Tuesday, 16 January 2018, 14:29 GMT
Opened by Pascal Ernster (hardfalcon) - Tuesday, 16 January 2018, 11:59 GMT
Last edited by Christian Hesse (eworm) - Tuesday, 16 January 2018, 14:29 GMT
|
Details
rsync 3.1.2-8 (packaged on 2017-10-30) is vulnerable to 3
CVEs:
https://nvd.nist.gov/vuln/detail/CVE-2017-16548 https://nvd.nist.gov/vuln/detail/CVE-2017-17433 https://nvd.nist.gov/vuln/detail/CVE-2017-17434 A quick glance over the commit messages in upstream's git hints to the presence of even more vulnerabilities. My suggestion would be to simply upgrade to rsync v3.1.3pre1, which was tagged/committed yesterday: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=c4a3f55be35726d0a033996dc37b0fb248b45cb5 https://git.samba.org/rsync.git/?p=rsync.git;a=blob;f=NEWS;h=3455e664754c0d7a7c81d32042d7ff09eef86cf8;hb=c4a3f55be35726d0a033996dc37b0fb248b45cb5 |
This task depends upon
Closed by Christian Hesse (eworm)
Tuesday, 16 January 2018, 14:29 GMT
Reason for closing: Fixed
Additional comments about closing: rsync 3.1.3pre1
Tuesday, 16 January 2018, 14:29 GMT
Reason for closing: Fixed
Additional comments about closing: rsync 3.1.3pre1
Comment by
Pascal Ernster (hardfalcon) -
Tuesday, 16 January 2018, 12:00 GMT
Sorry, forgot to cross-reference:
https://security.archlinux.org/AVG-542