You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa rsync

Sigurnosni nedostaci programskog paketa rsync

by ncert - 0

==========================================================================
Ubuntu Security Notice USN-3506-1
December 07, 2017

rsync vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 17.10
– Ubuntu 17.04
– Ubuntu 16.04 LTS
– Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in rsync.

Software Description:
– rsync: fast, versatile, remote (and local) file-copying tool

Details:

It was discovered that rsync proceeds with certain file metadata
updates before checking for a filename. An attacker could use this to
bypass access restrictions. (CVE-2017-17433)

It was discovered that rsync does not check for fnamecmp filenames and
also does not apply the sanitize_paths protection mechanism to
pathnames. An attacker could use this to bypass access restrictions.
(CVE-2017-17434)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
  rsync                           3.1.2-2ubuntu0.1

Ubuntu 17.04:
  rsync                           3.1.2-1ubuntu0.1

Ubuntu 16.04 LTS:
  rsync                           3.1.1-3ubuntu1.1

Ubuntu 14.04 LTS:
  rsync                           3.1.0-2ubuntu0.3

In general, a standard system update will make all the necessary
changes.

References:
  https://www.ubuntu.com/usn/usn-3506-1
  CVE-2017-17433, CVE-2017-17434

Package Information:
  https://launchpad.net/ubuntu/+source/rsync/3.1.2-2ubuntu0.1
  https://launchpad.net/ubuntu/+source/rsync/3.1.2-1ubuntu0.1
  https://launchpad.net/ubuntu/+source/rsync/3.1.1-3ubuntu1.1
  https://launchpad.net/ubuntu/+source/rsync/3.1.0-2ubuntu0.3
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2

iQIcBAABCAAGBQJaKUNwAAoJEEW851uECx9ptrYP/imwpsEizACWfIkgFSVSFTQ3
QaZ+sVed7w3bzuM4PHFhMFQR7jOWdZMQVXMnZOZThZkflITgnaGx8+eZjO4RR9SB
oMpI0QDW+vhaXKqvIxCBHu1w8S5aBah0WzYnKFb9RVSMkzB4EtxUwjnk9hGABzY7
OpqrHnQ5nIdMA7+aV+E0htALjtDH73p3aYutcZz3qqrr5WKjBJPiBJPBH0rfAdxE
aoCI5Tv6LiY6VSoTHYOMdNFW0TlRMu7tC/UKqJbQ2Lcj59VqNSMQ1koszWcwcg0+
nRTQ1YTi8ZYB9hHBNvMtW1JrT3h6MLGIE0HW56/YGTv5esTCJpQfNg06JPtaIvsC
/gOVpK6AigXWg7HAks4HyJcZzvhNZCYKYlxeR0eq3HnR/rWOnrVIDp3qnPiNUX0Z
08f9lxFXIyC5L9EnwAVF/VNoWAtMnJpYSl+g+NXqyNgRCn+3/KNXd7d6oFrbXBO8
T8vSV/ZBKHy5Zd7HEXMQeF6sl5N3dEud1zJ3d6t6aPHK7elhwTPfE/6zgz9AEZBb
na1lioZ3FPOS8SHvpIFUvgrcvFPwkVQvuRJX3QHUSDO3fK9GJTbo6FTs+5Dlz1H9
RSovM2bk1h7DovXbNPZ5zNtNr3WiUWWsWMPZ42/PIVLVNAK6Ld3CXRz8Jc0n3SvM
xaSbiq6guasRlP9QGvLR
=0Y32
—–END PGP SIGNATURE—–

ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

==========================================================================
Ubuntu Security Notice USN-3506-2
December 07, 2017

rsync vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in rsync.

Software Description:
– rsync: fast, versatile, remote (and local) file-copying tool

Details:

USN-3506-1 fixed two vulnerabilities in rsync. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

 It was discovered that rsync proceeds with certain file metadata
 updates before checking for a filename. An attacker could use this to
 bypass access restrictions. (CVE-2017-17433)

 It was discovered that rsync does not check for fnamecmp filenames and
 also does not apply the sanitize_paths protection mechanism to
 pathnames. An attacker could use this to bypass access restrictions.
 (CVE-2017-17434)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  rsync                           3.0.9-1ubuntu1.2

In general, a standard system update will make all the necessary
changes.

References:
  https://www.ubuntu.com/usn/usn-3506-2
  https://www.ubuntu.com/usn/usn-3506-1
  CVE-2017-17433, CVE-2017-17434
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2

iQIcBAABCAAGBQJaKUv6AAoJEEW851uECx9pZbkP/jdMK8sRC6u8fZwrFr8ylVjq
GJXoh3ftERqWzNbPpXrk5hmfM5Rhcy05qaMOXlDUCUjYpn1TTB4yRY0KtYU3w8bH
r9k5IcVv/y5NBzvPWyLYV7dKwf+waU0+ekdh7Z2CtNrgzLDLiJCQaJJgnZMVEj8/
m1zUc6UbeEAqogWiEb45aDbbm/U8La4VIwT8f2mRbiTvCtGgasivOiqsVAFTKF4C
rn9EUP7qiGKL/1ILimzbw3aHgnnpfugmhEJ/4aFDmXSuvpNbAXMobzMtVM8at+l7
3H3WZOH+Hn/RbeCIuNmt52ETuYf7r+zk7bz88YCu2Rdmgk3Xjc4Ti0usiN7Y5RbW
yIAXDfHiWeIaZL258c2+exXScVYPKTDs1Y2nJxQfUXvNQek89NppTmMmIQKg0EvV
S7nXj44yXT7r0L/n1X9kcOZT5AsB9Hb0anSpDXQ/Ur1kl919fovUlvcgzpffqDL2
JY5qy2CX1m9w64t1Tn1PYlfkxkaXDdE0iNuaqQYtYwl5DNw4E/UhZ3IUP8rnWPFP
8gtkgJDD+w9auMzqz3iUw2CFE1ZAba894cPHQZcK6WDyZpWIMdt45Pvk9Vlq+9pt
DjLXVi9p0okpMij4ZL3No7Z5QYYebSnvzqq8Eb36h1vJHSjkxuoHlw+28heUhVJF
Q6w4j26+LJ8Kuy+fI81t
=8b3c
—–END PGP SIGNATURE—–

ncert
Top
More in Preporuke
Sigurnosni nedostatak programskog paketa nova

Otkriven je sigurnosni nedostatak u programskom paketu nova za operacijski sustav Debian. Otkriveni nedostatak potencijalnim napadačima omogućuje zaobilaženje sigurnosnih ograničenja....

Close