The Slackware Linux Project: Mailing List Info

Mailing List Info

News
Security Advisories
FAQ
Book
General Info
Get Slack
Install Help
Configuration
Packages
ChangeLogs
Propaganda
Ports
Other Sites
Support
Contact

Mailing Lists
Archives

About

From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] rsync security update (SSA:2003-337-01)
Date: Wed, 3 Dec 2003 23:50:44 -0800 (PST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  rsync security update (SSA:2003-337-01)

Rsync is a file transfer client and server.

A security problem which may lead to unauthorized machine access
or code execution has been fixed by upgrading to rsync-2.5.7.
This problem only affects machines running rsync in daemon mode,
and is easier to exploit if the non-default option "use chroot = no"
is used in the /etc/rsyncd.conf config file.

Any sites running an rsync server should upgrade immediately.

For complete information, see the rsync home page:

  http://rsync.samba.org

Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Wed Dec  3 22:18:35 PST 2003
patches/packages/rsync-2.5.7-i486-1.tgz:  Upgraded to rsync-2.5.7.
  From the rsync-2.5.7-NEWS file:
    SECURITY:
    * Fix buffer handling bugs.  (Andrew Tridgell, Martin Pool, Paul
      Russell, Andrea Barisani)
  The vulnerability affects sites running rsync in daemon mode (rsync
  servers).  These sites should be upgraded immediately.
  (* Security fix *)
+--------------------------+


WHERE TO FIND THE NEW PACKAGE:
+-----------------------------+

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/rsync-2.5.7-i386-1.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/rsync-2.5.7-i386-1.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/rsync-2.5.7-i486-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/rsync-2.5.7-i486-1.tgz


MD5 SIGNATURES:
+-------------+

Slackware 8.1 package:
9adcdfaeca3022204bc1bef1d97802cf  rsync-2.5.7-i386-1.tgz

Slackware 9.0 package:
12788c9af15174c683ada4c5e5746372  rsync-2.5.7-i386-1.tgz

Slackware 9.1 package:
38d40a65d526f92c41ff72afae74e546  rsync-2.5.7-i486-1.tgz

Slackware -current package:
3f68fa78c6d095da4269e27806596d48  rsync-2.5.7-i486-1.tgz


INSTALLATION INSTRUCTIONS:
+------------------------+

If you're running rsync as a daemon, kill it:

# killall rsync

Then, upgrade the package:

# upgradepkg rsync-2.5.7-i486-1.tgz

Finally, restart the rsync daemon:

# rsync --daemon


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/zuYUakRjwEAQIjMRAv8BAJ4mBp2BLFrk2Uw6qYbQyzZGWxDAhQCeK717
XvGEot5Waqq4pwafZ2dw3Lc=
=ddu3
-----END PGP SIGNATURE-----

Slackware™ is a trademark of Patrick Volkerding.