==========================================================================
Ubuntu Security Notice USN-3506-1
December 07, 2017
rsync vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 17.10
– Ubuntu 17.04
– Ubuntu 16.04 LTS
– Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in rsync.
Software Description:
– rsync: fast, versatile, remote (and local) file-copying tool
Details:
It was discovered that rsync proceeds with certain file metadata
updates before checking for a filename. An attacker could use this to
bypass access restrictions. (CVE-2017-17433)
It was discovered that rsync does not check for fnamecmp filenames and
also does not apply the sanitize_paths protection mechanism to
pathnames. An attacker could use this to bypass access restrictions.
(CVE-2017-17434)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
rsync 3.1.2-2ubuntu0.1
Ubuntu 17.04:
rsync 3.1.2-1ubuntu0.1
Ubuntu 16.04 LTS:
rsync 3.1.1-3ubuntu1.1
Ubuntu 14.04 LTS:
rsync 3.1.0-2ubuntu0.3
In general, a standard system update will make all the necessary
changes.
References:
https://www.ubuntu.com/usn/usn-3506-1
CVE-2017-17433, CVE-2017-17434
Package Information:
https://launchpad.net/ubuntu/+source/rsync/3.1.2-2ubuntu0.1
https://launchpad.net/ubuntu/+source/rsync/3.1.2-1ubuntu0.1
https://launchpad.net/ubuntu/+source/rsync/3.1.1-3ubuntu1.1
https://launchpad.net/ubuntu/+source/rsync/3.1.0-2ubuntu0.3
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2
iQIcBAABCAAGBQJaKUNwAAoJEEW851uECx9ptrYP/imwpsEizACWfIkgFSVSFTQ3
QaZ+sVed7w3bzuM4PHFhMFQR7jOWdZMQVXMnZOZThZkflITgnaGx8+eZjO4RR9SB
oMpI0QDW+vhaXKqvIxCBHu1w8S5aBah0WzYnKFb9RVSMkzB4EtxUwjnk9hGABzY7
OpqrHnQ5nIdMA7+aV+E0htALjtDH73p3aYutcZz3qqrr5WKjBJPiBJPBH0rfAdxE
aoCI5Tv6LiY6VSoTHYOMdNFW0TlRMu7tC/UKqJbQ2Lcj59VqNSMQ1koszWcwcg0+
nRTQ1YTi8ZYB9hHBNvMtW1JrT3h6MLGIE0HW56/YGTv5esTCJpQfNg06JPtaIvsC
/gOVpK6AigXWg7HAks4HyJcZzvhNZCYKYlxeR0eq3HnR/rWOnrVIDp3qnPiNUX0Z
08f9lxFXIyC5L9EnwAVF/VNoWAtMnJpYSl+g+NXqyNgRCn+3/KNXd7d6oFrbXBO8
T8vSV/ZBKHy5Zd7HEXMQeF6sl5N3dEud1zJ3d6t6aPHK7elhwTPfE/6zgz9AEZBb
na1lioZ3FPOS8SHvpIFUvgrcvFPwkVQvuRJX3QHUSDO3fK9GJTbo6FTs+5Dlz1H9
RSovM2bk1h7DovXbNPZ5zNtNr3WiUWWsWMPZ42/PIVLVNAK6Ld3CXRz8Jc0n3SvM
xaSbiq6guasRlP9QGvLR
=0Y32
—–END PGP SIGNATURE—–
—
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
==========================================================================
Ubuntu Security Notice USN-3506-2
December 07, 2017
rsync vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in rsync.
Software Description:
– rsync: fast, versatile, remote (and local) file-copying tool
Details:
USN-3506-1 fixed two vulnerabilities in rsync. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that rsync proceeds with certain file metadata
updates before checking for a filename. An attacker could use this to
bypass access restrictions. (CVE-2017-17433)
It was discovered that rsync does not check for fnamecmp filenames and
also does not apply the sanitize_paths protection mechanism to
pathnames. An attacker could use this to bypass access restrictions.
(CVE-2017-17434)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
rsync 3.0.9-1ubuntu1.2
In general, a standard system update will make all the necessary
changes.
References:
https://www.ubuntu.com/usn/usn-3506-2
https://www.ubuntu.com/usn/usn-3506-1
CVE-2017-17433, CVE-2017-17434
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2
iQIcBAABCAAGBQJaKUv6AAoJEEW851uECx9pZbkP/jdMK8sRC6u8fZwrFr8ylVjq
GJXoh3ftERqWzNbPpXrk5hmfM5Rhcy05qaMOXlDUCUjYpn1TTB4yRY0KtYU3w8bH
r9k5IcVv/y5NBzvPWyLYV7dKwf+waU0+ekdh7Z2CtNrgzLDLiJCQaJJgnZMVEj8/
m1zUc6UbeEAqogWiEb45aDbbm/U8La4VIwT8f2mRbiTvCtGgasivOiqsVAFTKF4C
rn9EUP7qiGKL/1ILimzbw3aHgnnpfugmhEJ/4aFDmXSuvpNbAXMobzMtVM8at+l7
3H3WZOH+Hn/RbeCIuNmt52ETuYf7r+zk7bz88YCu2Rdmgk3Xjc4Ti0usiN7Y5RbW
yIAXDfHiWeIaZL258c2+exXScVYPKTDs1Y2nJxQfUXvNQek89NppTmMmIQKg0EvV
S7nXj44yXT7r0L/n1X9kcOZT5AsB9Hb0anSpDXQ/Ur1kl919fovUlvcgzpffqDL2
JY5qy2CX1m9w64t1Tn1PYlfkxkaXDdE0iNuaqQYtYwl5DNw4E/UhZ3IUP8rnWPFP
8gtkgJDD+w9auMzqz3iUw2CFE1ZAba894cPHQZcK6WDyZpWIMdt45Pvk9Vlq+9pt
DjLXVi9p0okpMij4ZL3No7Z5QYYebSnvzqq8Eb36h1vJHSjkxuoHlw+28heUhVJF
Q6w4j26+LJ8Kuy+fI81t
=8b3c
—–END PGP SIGNATURE—–
—