ESB-2017.3212 - [Debian] rsync: Multiple vulnerabilities 2017-12-18

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.3212
                           rsync security update
                             18 December 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           rsync
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Debian GNU/Linux 8
Impact/Access:     Denial of Service   -- Existing Account      
                   Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-17434 CVE-2017-17433 CVE-2017-16548

Reference:         ESB-2017.3135

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-4068

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4068-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 17, 2017                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : rsync
CVE ID         : CVE-2017-16548 CVE-2017-17433 CVE-2017-17434
Debian Bug     : 880954 883665 883667

Several vulnerabilities were discovered in rsync, a fast, versatile,
remote (and local) file-copying tool, allowing a remote attacker to
bypass intended access restrictions or cause a denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 3.1.1-3+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 3.1.2-1+deb9u1.

We recommend that you upgrade your rsync packages.

For the detailed security status of rsync please refer to its security
tracker page at: https://security-tracker.debian.org/tracker/rsync

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlo23R9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QRsA/+PRKy2RwqsFy4F4GWGC5wMWuOA+XNHGcMNnNHCsLKsTQmJRlWlY0Mn7dK
n+7dFs+areT7KfYeWbCnStTMBXknkIArVWQK5eF4nwWcBq1BP0FmfheDpIoiP5xW
xTu8TCkUqf+I/RdzhtrjJ2MjlSeQY7h4kpZdOflMbNN/38HvBNfKtlIr4S4SkTQ5
F3gfh4Rd8BpMEIHGmDi3eluvdsTd14zRv7CiQJXPTdufizgDAgNnSQbqf485MoBZ
YU4NrHEE2jVSTDK40uLO/lQJxaAs6HTkndtAVlJGdldaa0vAcqsmAyucJELYNONI
fpQMmfJIdqFrZWGgtz8u0flQkxKNWtnYkYTNRplefwTZ4EnMOWGQ6TppxD63PzMb
r1KROm7Kw1Zt6KRvJ9y2Z0OBF8N0iaoOwvqXKnhatwHV/jZMEGec/4xFRqXqiiCM
S/pFTB6hA1jo9GaCvOFBdws1qaRFXY9q8IFvj7Myd7se1DmONCZ4BvSntEx8j/Iy
xqdrjOlB2OuFT1zVfZffziq9E5ag2OMGo5Jk5XudX5yHUN2CmBX92flKBh6zqUcY
UOh3o4aIhrQWHYEGrydg3tLmvM/E5+deGqwTzZCJGfvxOryQ1zqAh/SUq9KhodPU
cGJxVsQ5Pu7MYMD40VG66GoBIEX6USzRVaiDKAtzJUEcb+QF8U4=
=mEX3
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWjb/m4x+lLeg9Ub1AQgAHw//Ww4BgGrLTt6XDb0DqUHJibM5RqMkh6ta
36KYEwh3gwBObCTRkEviBGQ5VCqHrMjutqOffHjquiQIkPhQSdqt0ZrnStkUbPqJ
Dnm9MHa8/F7oaYmnF4MsPYbj3uuxn3lDMQW344rw+Q0ASkJOztsgCWaxhFrxotpN
k2J7buZwB6D8pe9vTI6KZ4qsBBtWt2pF0OukKUiNDsVXuOriZYa3Zh2z6D4LvPCq
XRE2czoDpBxRVy+eeDPfZSiPHDZqGiVt4Lq73pryuXnXRJMqniTagWFFUOksgixe
q76QYcB6sOfGARt1UoVVGaPZT0oPcFY6NFwqnPmDlF5qPDvJ2MZTmhDGRV+HNNYV
jfsdJUwTAq7heWHb6Rr3Hto9uvfqXG8uwt0OW0S6tOYdoIHfEOYbS0cdhyZXSePu
3KkxgKQzkBk4kvaS+wACyv0znbsFDf0hdpeoIDvZQmqLm8gvgFHYVk7fsZV30Ae5
kuXIAQpuk9SOXEzz/1bK+nHrAURZ5qAEMsnX8mjLxI8HDfcL0Oauu4B6vG8UKsfe
KtJ8T6hkM04MLf3QvSsRfSfE6XbEQ0OdM62WJYQfqkZ9OikAb8i+FXpAcUuHPHbU
6GIlZlsePrhPPfi3ncqBPpgRWPKQgxUjZS+mEdKysOzVNNv7jscMK55+2+wIObQO
H1zw7fB04HI=
=mdTF
-----END PGP SIGNATURE-----

« Back to bulletins