[Security] Please test new rsync-2.5.7-5.fc1 rpms that fix a security hole

Jay Fenlason fenlason at redhat.com
Mon May 10 18:08:16 UTC 2004


Updated rsync packages that fix a directory traversal security flaw
are now available for testing.

Problem Description:
---------------------------------------
Rsync is a program for synchronizing files.

Rsync before 2.6.1 does not properly sanitize paths when running a
read/write daemon without using chroot.  This could allow a remote
attacker the ability to write files outside of the module's "path",
depending on the privileges assigned to the rsync daemon.  Users not
running an rsync daemon, running a read-only daemon, or running a
chrooted daemon are not affected by this issue.  The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-0426 to this issue.

These updated rpms contain a backported patch and are not affected by
this issue.  Please test them and report if they fail to work
identically to the previous 2.5.7 rpm.

These updated rpms will be pushed as an official Fedora Core 1 update
no later than the end of May, so please test them and report problems
as soon as possible.

			-- JF





More information about the test mailing list