rsync update (SSA:2004-124-01) has been released for Slackware Linux:
New rsync packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a security issue. When running an rsync server without the chroot option it is possible for an attacker to write outside of the allowed directory. Any sites running rsync in that mode should upgrade right away (and should probably look into using the chroot option as well).
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426
Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Sun May 2 17:16:41 PDT 2004
patches/packages/rsync-2.6.2-i486-1.tgz: Upgraded to rsync-2.6.2.
Rsync before 2.6.1 does not properly sanitize paths when running a
read/write daemon without using chroot, allowing remote attackers to
write files outside of the module's path.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/rsync-2.6.2-i386-1.tgz
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/rsync-2.6.2-i386-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/rsync-2.6.2-i486-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/rsync-2.6.2-i486-1.tgz
MD5 signatures:
+-------------+
Slackware 8.1 package:
f7702e872e7816dcb6f9b0ba27c3fb61 rsync-2.6.2-i386-1.tgz
Slackware 9.0 package:
f6ec19791028f4b355bc16d454031204 rsync-2.6.2-i386-1.tgz
Slackware 9.1 package:
a42dc11056b37c7ddd94f71e4ce20c74 rsync-2.6.2-i486-1.tgz
Slackware -current package:
31eb4e17aea2a32a98d4576fab64ab8b rsync-2.6.2-i486-1.tgz
Installation instructions:
+------------------------+
If rsync is running as a server, shut it down first.
Then, upgrade the packages as root:
# upgradepkg rsync-2.6.2-i486-1.tgz
Finally, restart the rsync server if needed.
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
New rsync packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a security issue. When running an rsync server without the chroot option it is possible for an attacker to write outside of the allowed directory. Any sites running rsync in that mode should upgrade right away (and should probably look into using the chroot option as well).
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426
Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Sun May 2 17:16:41 PDT 2004
patches/packages/rsync-2.6.2-i486-1.tgz: Upgraded to rsync-2.6.2.
Rsync before 2.6.1 does not properly sanitize paths when running a
read/write daemon without using chroot, allowing remote attackers to
write files outside of the module's path.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/rsync-2.6.2-i386-1.tgz
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/rsync-2.6.2-i386-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/rsync-2.6.2-i486-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/rsync-2.6.2-i486-1.tgz
MD5 signatures:
+-------------+
Slackware 8.1 package:
f7702e872e7816dcb6f9b0ba27c3fb61 rsync-2.6.2-i386-1.tgz
Slackware 9.0 package:
f6ec19791028f4b355bc16d454031204 rsync-2.6.2-i386-1.tgz
Slackware 9.1 package:
a42dc11056b37c7ddd94f71e4ce20c74 rsync-2.6.2-i486-1.tgz
Slackware -current package:
31eb4e17aea2a32a98d4576fab64ab8b rsync-2.6.2-i486-1.tgz
Installation instructions:
+------------------------+
If rsync is running as a server, shut it down first.
Then, upgrade the packages as root:
# upgradepkg rsync-2.6.2-i486-1.tgz
Finally, restart the rsync server if needed.
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
