` 

---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          New rsync packages available
Advisory ID:       RHSA-2002:018-05
Issue date:        2002-01-23
Updated on:        2002-01-25
Product:           Red Hat Linux
Keywords:          rsync signed unsigned daemon
Cross references:  
Obsoletes:         
---------------------------------------------------------------------

1. Topic:

New rsync packages are available; these fix a remotely exploitable problem
in the I/O functions.

It is strongly recommended that all users of rsync upgrade to the fixed
packages.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - alpha, i386, sparc

Red Hat Linux 7.0 - alpha, i386

Red Hat Linux 7.1 - alpha, i386, ia64

Red Hat Linux 7.2 - i386, ia64

3. Problem description:

rsync is a powerful tool used for mirroring directory structures across
machines.  rsync has been found to contain several signed/unsigned bugs in
its I/O functions which are remotely exploitable.   A remote user can crash
the rsync server/client and execute code as the user running the rsync
server or client.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0048 to this issue.

All users of rsync should upgrade their packages.  In addition rsync server
administrators should consider using the "use chroot", "uid",  and "read
only" options, which can significantly reduce the impact of a security
problem in rsync or elsewhere.

Thanks go to Sebastian Krahmer for providing a patch for this vulnerability
and to Andrew Tridgell and Martin Pool for their rapid response.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed  (  for more info):



6. RPMs required:

Red Hat Linux 6.2:

SRPMS: 
 

alpha: 
 

i386: 
 

sparc: 
 

Red Hat Linux 7.0:

SRPMS: 
 

alpha: 
 

i386: 
 

Red Hat Linux 7.1:

SRPMS: 
 

alpha: 
 

i386: 
 

ia64: 
 

Red Hat Linux 7.2:

SRPMS: 
 

i386: 
 

ia64: 
 



7. Verification:

MD5 sum                          Package Name
--------------------------------------------------------------------------
2bd10eb10e84fadc305ebfc2e264ec2e 6.2/en/os/SRPMS/rsync-2.4.6-0.6.src.rpm
b38a1e9912b7e49496cd0550700a0917 6.2/en/os/alpha/rsync-2.4.6-0.6.alpha.rpm
80efc477a6b5c921b663f0de9e599ca2 6.2/en/os/i386/rsync-2.4.6-0.6.i386.rpm
69eef6216061a8f7a1fc81d6c74196e1 6.2/en/os/sparc/rsync-2.4.6-0.6.sparc.rpm
03cb9d0957edc8924c8fb6b5c83b4576 7.0/en/os/SRPMS/rsync-2.4.6-8.src.rpm
546234ec652e9baa9053f8d18ac5f20f 7.0/en/os/alpha/rsync-2.4.6-8.alpha.rpm
7efbc285a01752c893c112373feb0fd8 7.0/en/os/i386/rsync-2.4.6-8.i386.rpm
03cb9d0957edc8924c8fb6b5c83b4576 7.1/en/os/SRPMS/rsync-2.4.6-8.src.rpm
546234ec652e9baa9053f8d18ac5f20f 7.1/en/os/alpha/rsync-2.4.6-8.alpha.rpm
7efbc285a01752c893c112373feb0fd8 7.1/en/os/i386/rsync-2.4.6-8.i386.rpm
38f4d868226a980a1c763bb1ef27805a 7.1/en/os/ia64/rsync-2.4.6-8.ia64.rpm
03cb9d0957edc8924c8fb6b5c83b4576 7.2/en/os/SRPMS/rsync-2.4.6-8.src.rpm
7efbc285a01752c893c112373feb0fd8 7.2/en/os/i386/rsync-2.4.6-8.i386.rpm
38f4d868226a980a1c763bb1ef27805a 7.2/en/os/ia64/rsync-2.4.6-8.ia64.rpm
 

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
     About

You can verify each package with the following command:
    rpm --checksig  

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg 

8. References:
 
CVE -CVE-2002-0048


Copyright(c) 2000, 2001, 2002 Red Hat, Inc.
`

RedHat: 'rsync' Remote command execution

There exist several signedness bugs within the rsync ...

Summary



Summary

rsync is a powerful tool used for mirroring directory structures acrossmachines. rsync has been found to contain several signed/unsigned bugs inits I/O functions which are remotely exploitable. A remote user can crashthe rsync server/client and execute code as the user running the rsyncserver or client.The Common Vulnerabilities and Exposures project (cve.mitre.org) hasassigned the name CAN-2002-0048 to this issue.All users of rsync should upgrade their packages. In addition rsync serveradministrators should consider using the "use chroot", "uid", and "readonly" options, which can significantly reduce the impact of a securityproblem in rsync or elsewhere.Thanks go to Sebastian Krahmer for providing a patch for this vulnerabilityand to Andrew Tridgell and Martin Pool for their rapid response.


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.
Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.
5. Bug IDs fixed ( for more info):


6. RPMs required:
Red Hat Linux 6.2:
SRPMS:

alpha:

i386:

sparc:

Red Hat Linux 7.0:
SRPMS:

alpha:

i386:

Red Hat Linux 7.1:
SRPMS:

alpha:

i386:

ia64:

Red Hat Linux 7.2:
SRPMS:

i386:

ia64:



7. Verification:
MD5 sum Package Name 2bd10eb10e84fadc305ebfc2e264ec2e 6.2/en/os/SRPMS/rsync-2.4.6-0.6.src.rpm b38a1e9912b7e49496cd0550700a0917 6.2/en/os/alpha/rsync-2.4.6-0.6.alpha.rpm 80efc477a6b5c921b663f0de9e599ca2 6.2/en/os/i386/rsync-2.4.6-0.6.i386.rpm 69eef6216061a8f7a1fc81d6c74196e1 6.2/en/os/sparc/rsync-2.4.6-0.6.sparc.rpm 03cb9d0957edc8924c8fb6b5c83b4576 7.0/en/os/SRPMS/rsync-2.4.6-8.src.rpm 546234ec652e9baa9053f8d18ac5f20f 7.0/en/os/alpha/rsync-2.4.6-8.alpha.rpm 7efbc285a01752c893c112373feb0fd8 7.0/en/os/i386/rsync-2.4.6-8.i386.rpm 03cb9d0957edc8924c8fb6b5c83b4576 7.1/en/os/SRPMS/rsync-2.4.6-8.src.rpm 546234ec652e9baa9053f8d18ac5f20f 7.1/en/os/alpha/rsync-2.4.6-8.alpha.rpm 7efbc285a01752c893c112373feb0fd8 7.1/en/os/i386/rsync-2.4.6-8.i386.rpm 38f4d868226a980a1c763bb1ef27805a 7.1/en/os/ia64/rsync-2.4.6-8.ia64.rpm 03cb9d0957edc8924c8fb6b5c83b4576 7.2/en/os/SRPMS/rsync-2.4.6-8.src.rpm 7efbc285a01752c893c112373feb0fd8 7.2/en/os/i386/rsync-2.4.6-8.i386.rpm 38f4d868226a980a1c763bb1ef27805a 7.2/en/os/ia64/rsync-2.4.6-8.ia64.rpm

These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: About
You can verify each package with the following command: rpm --checksig
If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg

References

CVE -CVE-2002-0048 Copyright(c) 2000, 2001, 2002 Red Hat, Inc. `

Package List


Severity
Advisory ID: RHSA-2002:018-05
Issued Date: : 2002-01-23
Updated on: 2002-01-25
Product: Red Hat Linux
Keywords: rsync signed unsigned daemon
Cross references:
Obsoletes:

Topic


Topic

New rsync packages are available; these fix a remotely exploitable problem

in the I/O functions.

It is strongly recommended that all users of rsync upgrade to the fixed

packages.


 

Relevant Releases Architectures

Red Hat Linux 6.2 - alpha, i386, sparc

Red Hat Linux 7.0 - alpha, i386

Red Hat Linux 7.1 - alpha, i386, ia64

Red Hat Linux 7.2 - i386, ia64


Bugs Fixed


Related News

13.Lock StylizedMotherboard Esm H320
1 - 2 min read
Spiral Linux is a Debian-based distribution that offers a range of desktop environments, making it stand out from other Linux distributions. In
32.Lock Code Circular Esm H320
2 - 3 min read
Two critical security vulnerabilities were found in pgAdmin, the open-source administration tool for PostgreSQL . The vulnerabilities assigned
1.Penguin Landscape Esm H320
2 - 3 min read
The recent release of AlmaLinux 9.4 , closely aligned with Red Hat Enterprise Linux (RHEL) 9.4 , presents Linux admins and infosec professionals
11.Locks IsometricPattern Esm H320
2 - 3 min read
The upcoming release of Linux Mint 22 will introduce significant changes, particularly in handling XApp , GNOME applications, and the Software
2.Motherboard Esm H320
2 - 3 min read
German software engineer Lennart Poettering recently presented run0 , a new tool in systemd v256 that aims to address the security concerns
22.Lock ScreenEffect Esm H320
2 - 3 min read
Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to
8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
20.Lock AbstractDigital Circular Esm H320
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server. The vulnerabilities affected
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved