Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» Mandrake » Updated rsync packages fixes potential to write outside of directory tree

Updated rsync packages fixes potential to write outside of directory tree

Rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, allows remote attackers to write files outside of the module's path. The updated packages provide a patched rsync to correct this problem.

  • Vendor: Mandrake
  • Vendor ID: MDKSA-2004:042
  • Date: May 10, 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: rsync
Advisory ID: MDKSA-2004:042
Date: May 10th, 2004

Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________

Problem Description:

Rsync before 2.6.1 does not properly sanitize paths when running a
read/write daemon without using chroot, allows remote attackers to write
files outside of the module's path.

The updated packages provide a patched rsync to correct this problem.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426
http://rsync.samba.org/index.html
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.0:
37d41b25e920dae54d4374eeb2c6ed35 10.0/RPMS/rsync-2.6.0-1.1.100mdk.i586.rpm
0a6caf4adbe90718f65508019c7c1cb0 10.0/SRPMS/rsync-2.6.0-1.1.100mdk.src.rpm

Corporate Server 2.1:
1ba8905c204e353773cfbabe28be3d52 corporate/2.1/RPMS/rsync-2.5.5-5.2.C21mdk.i586.rpm
800c75016100e86e11a4f14959d76540 corporate/2.1/SRPMS/rsync-2.5.5-5.2.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
7c0e49f5b8bf074fbe083034e529b5cf x86_64/corporate/2.1/RPMS/rsync-2.5.5-5.2.C21mdk.x86_64.rpm
800c75016100e86e11a4f14959d76540 x86_64/corporate/2.1/SRPMS/rsync-2.5.5-5.2.C21mdk.src.rpm

Mandrakelinux 9.1:
80b525c84d466a032cbe48fcc79452ea 9.1/RPMS/rsync-2.5.7-0.2.91mdk.i586.rpm
c8198fd64489c4fcd0e20b2b9ed6f10b 9.1/SRPMS/rsync-2.5.7-0.2.91mdk.src.rpm

Mandrakelinux 9.1/PPC:
54489631fc2d5e6fcb5b71e288dfb978 ppc/9.1/RPMS/rsync-2.5.7-0.2.91mdk.ppc.rpm
c8198fd64489c4fcd0e20b2b9ed6f10b ppc/9.1/SRPMS/rsync-2.5.7-0.2.91mdk.src.rpm

Mandrakelinux 9.2:
d2f05448f48f04b441d7c997cfbe69ac 9.2/RPMS/rsync-2.5.7-0.2.92mdk.i586.rpm
29b26aac40d01e55b325ae8094695fe8 9.2/SRPMS/rsync-2.5.7-0.2.92mdk.src.rpm

Mandrakelinux 9.2/AMD64:
b18d86bc4f40e4337451d832306341da amd64/9.2/RPMS/rsync-2.5.7-0.2.92mdk.amd64.rpm
29b26aac40d01e55b325ae8094695fe8 amd64/9.2/SRPMS/rsync-2.5.7-0.2.92mdk.src.rpm

Multi Network Firewall 8.2:
aaaa900e64e6f60734eecf65aafca07a mnf8.2/RPMS/rsync-2.5.4-2.2.M82mdk.i586.rpm
d3b5df904cbf31ad95794821fc296b75 mnf8.2/SRPMS/rsync-2.5.4-2.2.M82mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by Mandrakesoft for security. You can obtain
the GPG public key of the Mandrakelinux Security Team by executing:

gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesecure.net/en/advisories/

Mandrakesoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAoDEemqjQ0CJFipgRAlKIAJ43/q0QIGDP0eTkWhovxA4a8Vl+cgCdFu5L
w5+ceUVlLcdpZjtcwQ4biPc=
=Vzlr
-----END PGP SIGNATURE-----

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »