Slackware: 'rsync' Multiple vulnerabilities
Posted by LinuxSecurity.com Team   
Slackware Fixes the zlib vulnerability and supplementary groups are removed from a server process after changing uid and gid.


Date: Mon, 11 Mar 2002 15:25:45 -0800 (PST)
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] rsync update fixes security problems


New rsync packages are available to fix security problems.

Here's the information from the Slackware 8.0 ChangeLog:

----------------------------
Mon Mar 11 15:09:26 PST 2002
patches/packages/rsync.tgz:  Upgraded to rsync-2.5.3.  This fixes two security
  problems:

  * Make sure that supplementary groups are removed from a server
    process after changing uid and gid. (Ethan Benson) (Debian bug
    #132272, CVE CAN-2002-0080)

  * Fix zlib double-free bug.  (Owen Taylor, Mark J Cox) (CVE CAN-2002-0059)

(* Security fix *)
----------------------------

We recommend that sites providing external rsync access upgrade to the fixed
rsync package as soon as possible.


WHERE TO FIND THE NEW PACKAGE:
------------------------------
Updated rsync package for Slackware 8.0: 
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/rsync.tgz

Updated rsync package for Slackware 7.1: 
ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/rsync.tgz


MD5 SIGNATURE:
--------------

Here are the md5sums for the packages:

Slackware 8.0:
e88390bae124be2af4b707ad3fbfc791  rsync.tgz

Slackware 7.1:
959b82dd4fbb84da564b2ce18eb56afc  rsync.tgz


INSTALLATION INSTRUCTIONS:
--------------------------

Simply upgrade as root:

   # upgradepkg rsync.tgz


Remember, it's also a good idea to backup configuration files before
upgrading packages.

- Slackware Linux Security Team
   http://www.slackware.com