rsync-3.1.2-12.0.3.el7.AXS7

Rsync uses a reliable algorithm to bring remote and host files into sync very
quickly. Rsync is fast because it just sends the differences in the files over
the network instead of sending the complete files. Rsync is often used as a very
powerful mirroring process or just as a more capable replacement for the rcp
command. A technical report which describes the rsync algorithm is included in
this package.

Security Fix(es):

* CVE-2024-12087: fix path traversal vulnerability in rsync enabled by the
'--inc-recursive' option
* CVE-2024-12088: make --safe-links stricter

CVE(s):
CVE-2024-12087
A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.
CVE-2024-12088
A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.