USN-7206-2: rsync regression
First published: Thu Jan 16 2025(Updated: )
USN-7206-1 fixed vulnerabilities in rsync. The update introduced a regression in rsync. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync did not properly handle checksum lengths. An attacker could use this issue to execute arbitrary code. (CVE-2024-12084) Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync compared checksums with uninitialized memory. An attacker could exploit this issue to leak sensitive information. (CVE-2024-12085) Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync incorrectly handled file checksums. A malicious server could use this to expose arbitrary client files. (CVE-2024-12086) Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync mishandled symlinks for some settings. An attacker could exploit this to write files outside the intended directory. (CVE-2024-12087) Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync failed to verify symbolic link destinations for some settings. An attacker could exploit this for path traversal attacks. (CVE-2024-12088) Aleksei Gorban discovered a race condition in rsync's handling of symbolic links. An attacker could use this to access sensitive information or escalate privileges. (CVE-2024-12747)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/rsync | <3.2.7-1ubuntu1.2 | 3.2.7-1ubuntu1.2 |
| Ubuntu Ubuntu | =24.04 | |
| All of | ||
| ubuntu/rsync | <3.2.7-0ubuntu0.22.04.4 | 3.2.7-0ubuntu0.22.04.4 |
| Ubuntu Ubuntu | =22.04 | |
| All of | ||
| ubuntu/rsync | <3.1.3-8ubuntu0.9 | 3.1.3-8ubuntu0.9 |
| Ubuntu Ubuntu | =20.04 | |
| All of | ||
| ubuntu/rsync | <3.1.2-2.1ubuntu1.6+esm2 | 3.1.2-2.1ubuntu1.6+esm2 |
| Ubuntu Ubuntu | =18.04 | |
| All of | ||
| ubuntu/rsync | <3.1.1-3ubuntu1.3+esm4 | 3.1.1-3ubuntu1.3+esm4 |
| Ubuntu Ubuntu | =16.04 | |
| All of | ||
| ubuntu/rsync | <3.1.0-2ubuntu0.4+esm2 | 3.1.0-2ubuntu0.4+esm2 |
| Ubuntu Ubuntu | =14.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/usn
- source/Ubuntu
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/title
- agent/last-modified-date
- agent/references
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/event
- agent/description
- agent/tags
- agent/source
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu ubuntu
- version/ubuntu ubuntu/24.04
- version/ubuntu ubuntu/22.04
- version/ubuntu ubuntu/20.04
- version/ubuntu ubuntu/18.04
- version/ubuntu ubuntu/16.04
- version/ubuntu ubuntu/14.04