rsync-3.2.3-2.6 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11308 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z rsync-3.2.3-2.6 on GA media These are all security issues fixed in the rsync-3.2.3-2.6 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11308 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11308 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2007-4091/ SUSE CVE CVE-2007-4091 page https://www.suse.com/security/cve/CVE-2007-6199/ SUSE CVE CVE-2007-6199 page https://www.suse.com/security/cve/CVE-2017-16548/ SUSE CVE CVE-2017-16548 page https://www.suse.com/security/cve/CVE-2018-5764/ SUSE CVE CVE-2018-5764 page https://www.suse.com/security/cve/CVE-2020-14387/ SUSE CVE CVE-2020-14387 page openSUSE Tumbleweed rsync-3.2.3-2.6 rsync-3.2.3-2.6 as a component of openSUSE Tumbleweed Multiple off-by-one errors in the sender.c in rsync 2.6.9 might allow remote attackers to execute arbitrary code via directory names that are not properly handled when calling the f_name function. CVE-2007-4091 openSUSE Tumbleweed:rsync-3.2.3-2.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-4091.html CVE-2007-4091 https://bugzilla.suse.com/279866 SUSE Bug 279866 https://bugzilla.suse.com/294073 SUSE Bug 294073 rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module's hierarchy. CVE-2007-6199 openSUSE Tumbleweed:rsync-3.2.3-2.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-6199.html CVE-2007-6199 https://bugzilla.suse.com/345507 SUSE Bug 345507 The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon. CVE-2017-16548 openSUSE Tumbleweed:rsync-3.2.3-2.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-16548.html CVE-2017-16548 https://bugzilla.suse.com/1066644 SUSE Bug 1066644 The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism. CVE-2018-5764 openSUSE Tumbleweed:rsync-3.2.3-2.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5764.html CVE-2018-5764 https://bugzilla.suse.com/1076503 SUSE Bug 1076503 A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing a man-in-the-middle attack using a valid certificate for another hostname which could compromise confidentiality and integrity of data transmitted using rsync-ssl. The highest threat from this vulnerability is to data confidentiality and integrity. This flaw affects rsync versions before 3.2.4. CVE-2020-14387 openSUSE Tumbleweed:rsync-3.2.3-2.6 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14387.html CVE-2020-14387 https://bugzilla.suse.com/1176160 SUSE Bug 1176160