6 new CVEs in "rsync".
"In the most severe CVE, an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on."
That would be CVE-2024-12084 (9.8) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, a heap-based buffer overflow in rsyncd.
https://www.openwall.com/lists/oss-security/2025/01/14/3
=> More informations about this toot | More toots from jschauma@mstdn.social
Anybody know whether the issue in CVE-2024-12084 is strictly within "rsyncd", or does this also affect "rsync --server --sender"?
If so, then that would impact a lot more deployments, i.e., those that depend on SSH as the transport.
=> More informations about this toot | More toots from jschauma@mstdn.social
@jschauma I do not know if rsync --server is also affected, but if the transport is SSH, then the remote end is rarely unknown?
It is a reduced attack surface (only known users allowed to use SSH), and you have a better chance of identifying a hacker from the log files.
=> More informations about this toot | More toots from claushc@mastodon.social
text/geminiThis content has been proxied by September (ba2dc).