===================================================================== CERT-Renater Note d'Information No. 2008/VULN130 _____________________________________________________________________ DATE : 11/04/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Rsync versions 2.6.9 onward. ====================================================================== http://www.mail-archive.com/rsync-announce@lists.samba.org/msg00057.html ______________________________________________________________________ [rsync-announce] Rsync 3.0.2 released w/xattr security fix (attn: 2.6.9 onward) Wayne Davison Tue, 08 Apr 2008 10:02:45 -0700 I have released rsync 3.0.2. This is a security release to fix a potential buffer overflow in the extended attribute support. For more details, see the rsync security advisory page: http://rsync.samba.org/security.html There is a patch there that can be applied to 2.6.9 (if you were using the xattrs.patch), 3.0.0, or 3.0.1. Those running a writable rsync daemon can opt to refuse the "xattrs" option in their daemon config to avoid the problem without an upgrade. I would like to thank Sebastian Krahmer for bringing this bug to my attention. To see the brief summary of the changes since 3.0.1, visit this link: http://rsync.samba.org/ftp/rsync/src/rsync-3.0.2-NEWS You can download the source tar file and its signature from here: http://rsync.samba.org/ftp/rsync/src/rsync-3.0.2.tar.gz http://rsync.samba.org/ftp/rsync/src/rsync-3.0.2.tar.gz.asc ..wayne.. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================