rsync-3.2.3-9.el9.2

エラータID: AXSA:2022-4046:07

Release date: 
Tuesday, November 15, 2022 - 13:09
Subject: 
rsync-3.2.3-9.el9.2
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool.

Security Fix(es):

* rsync: remote arbitrary files write inside the directories of connecting peers (CVE-2022-29154)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-29154
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).

Solution: 

Update packages.

CVEs: 
CVE-2022-29154
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).
Additional Info: 

N/A

Download: 

SRPMS
  1. rsync-3.2.3-9.el9.2.src.rpm
    MD5: d829368fdf62f6cf2f24f5af1872d66e
    SHA-256: 382f1960b3a9c012a85b130ff0bfe07178392c60ec5415cef65ea6663ff3eaad
    Size: 1.21 MB

Asianux Server 9 for x86_64
  1. rsync-3.2.3-9.el9.2.x86_64.rpm
    MD5: 6e92f9656729881e8ffde6c2691015c3
    SHA-256: 9ddb7dafa165cb4bf73c67c05bb1de93088deadad69c778d34cb25d536931e65
    Size: 391.72 kB
  2. rsync-daemon-3.2.3-9.el9.2.noarch.rpm
    MD5: cf225698b5921ab7f69b29a186a5bdae
    SHA-256: 92436ccb645b323959cfaf8b1b4c03caecb80101031489437013363bc051ff96
    Size: 9.77 kB