Security update for rsync SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0991-1 Final 1 1 2025-03-24T13:56:41Z current 2025-03-24T13:56:41Z 2025-03-24T13:56:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rsync This update for rsync fixes the following issues: - CVE-2024-12747: Fixed race condition in handling symbolic links (bsc#1235475) - Broken rsyncd after protocol bump, regression reported (bsc#1237187). - Bump protocol version to 32 - make it easier to show server is patched. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/sle-micro-rancher/5.2:latest-2025-991,SUSE-2025-991,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-991,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-991,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-991,SUSE-SUSE-MicroOS-5.1-2025-991,SUSE-SUSE-MicroOS-5.2-2025-991,SUSE-Storage-7.1-2025-991 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250991-1/ Link for SUSE-SU-2025:0991-1 https://lists.suse.com/pipermail/sle-security-updates/2025-March/020585.html E-Mail link for SUSE-SU-2025:0991-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1235475 SUSE Bug 1235475 https://bugzilla.suse.com/1237187 SUSE Bug 1237187 https://www.suse.com/security/cve/CVE-2024-12747/ SUSE CVE CVE-2024-12747 page Container suse/sle-micro-rancher/5.2:latest SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP3 rsync-3.2.3-150000.4.36.1 rsync-3.2.3-150000.4.36.1 as a component of Container suse/sle-micro-rancher/5.2:latest rsync-3.2.3-150000.4.36.1 as a component of SUSE Enterprise Storage 7.1 rsync-3.2.3-150000.4.36.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS rsync-3.2.3-150000.4.36.1 as a component of SUSE Linux Enterprise Micro 5.1 rsync-3.2.3-150000.4.36.1 as a component of SUSE Linux Enterprise Micro 5.2 rsync-3.2.3-150000.4.36.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS rsync-3.2.3-150000.4.36.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation. CVE-2024-12747 Container suse/sle-micro-rancher/5.2:latest:rsync-3.2.3-150000.4.36.1 SUSE Enterprise Storage 7.1:rsync-3.2.3-150000.4.36.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1 SUSE Linux Enterprise Micro 5.1:rsync-3.2.3-150000.4.36.1 SUSE Linux Enterprise Micro 5.2:rsync-3.2.3-150000.4.36.1 SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:rsync-3.2.3-150000.4.36.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250991-1/ https://www.suse.com/security/cve/CVE-2024-12747.html CVE-2024-12747 https://bugzilla.suse.com/1233760 SUSE Bug 1233760 https://bugzilla.suse.com/1235475 SUSE Bug 1235475