rsync-3.1.2-12.0.3.el7.AXS7
エラータID: AXSA:2025-9708:04
リリース日:
2025/02/26 Wednesday - 10:48
題名:
rsync-3.1.2-12.0.3.el7.AXS7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- rsync には、シンボリックリンクに対するチェック処理が
欠落しているため、リモートの攻撃者により、クライアント
が意図したディレクトリ外のファイルへの不正な書き込みを
可能とする脆弱性が存在します。(CVE-2024-12087)
- rsync には、シンボリックリンク先に別のシンボリック
リンクが含まれていることを正しくチェックできない問題が
あるため、リモートの攻撃者により、”--safe-links” オプション
を用いた rsync コマンドの利用を介して、任意のファイルへの
不正な書き込みを可能とする脆弱性が存在します。
(CVE-2024-12088)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-12087
A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.
A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.
CVE-2024-12088
A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.
A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.
追加情報:
N/A
ダウンロード:
Asianux Server 7 for x86_64
- rsync-3.1.2-12.0.3.el7.AXS7.x86_64.rpm
MD5: 2bd09c369cc8997f300ec956fbf09a77
SHA-256: 7dd1f369548a01fadbddce83fbc7a209b366c4fd5b14b214469d6e1344f2fa51
Size: 408.20 kB
English