The rsync utility in Linux, *BSD, and Unix-like systems are vulnerable to multiple security issues, including arbitrary code execution, arbitrary file upload, information disclosure, and privilege escalation. Hence, you must patch the system ASAP https://www.cyberciti.biz/linux-news/cve-2024-12084-rsyn-security-urgent-update-needed-on-unix-bsd-systems/
[#]infosec #security #linux #unix
=> More informations about this toot | More toots from nixCraft@mastodon.social
@nixCraft beware, last version on Ubuntu is super broken https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/2095004
=> More informations about this toot | More toots from foo__@mastodon.social
@foo__ @nixCraft there is a fix for this (and a few more) by Natanael Copa, the Alpine Linux lead, you can wait for the 3.4.1 release or patch it manually:
https://github.com/RsyncProject/rsync/pull/705
https://github.com/RsyncProject/rsync/issues/699
Given the CVE only occurs if you are running rsync as a daemon rather than over SSH, it's probably less risky to leave it in the unpatched state until a 3.4.1 release is cut and makes its way to Ubuntu.
=> More informations about this toot | More toots from fazalmajid@vivaldi.net
@nixCraft @fazalmajid @foo__ I’ve seen at least seven CVEs mentioned in the DSA, but they are all vague whether they affect client or server, and for server, daemon or ssh. 🤬
=> More informations about this toot | More toots from mirabilos@toot.mirbsd.org
@mirabilos @fazalmajid @foo__ they affect both server and client. update rsync on both sides.
=> More informations about this toot | More toots from nixCraft@mastodon.social
@foo__ @nixCraft @fazalmajid that’s a problem for now. It needs to say what where under what scenarios.
=> More informations about this toot | More toots from mirabilos@toot.mirbsd.org
@nixCraft @mirabilos @fazalmajid @foo__
I only do #rsync via #ssh from my private #linux client to my #selfhosted Linux Server - or use #syncthing which can sync in both directions and with more than only two computers ❤️
=> More informations about this toot | More toots from abimelechbeutelbilch@fulda.social
@abimelechbeutelbilch @nixCraft @fazalmajid @foo__ I’m also mostly concerned for anoncvs/anonrsync services and my own use between trusted systems with ssh, for now (anything else will have to wait until mental bandwidth and time).
https://security-tracker.debian.org/tracker/source-package/rsync enumerates all of them pretty well except 2024-12084. Most of them don’t affect my use cases, and if you use --delete-after, --inc-recursive is and must be disabled.
=> More informations about this toot | More toots from mirabilos@toot.mirbsd.org
@nixCraft aw heck! thanks for the headsup
I wonder how this works; like when am I vulnerable? whenever I use rsync? or just having it installed? or neither? I'm a security noob lol
=> More informations about this toot | More toots from bazkie@beige.party
@bazkie Are you running rsync in a daemon mode for the public? The risk is highest for you. Either way, having installed rsync opens up attacks from both external and internal users; hence, updating both the client and server is recommended. Even a bug in the PHP script on your web server can run rsync, and from there, it can escalate. Nasty stuff.
=> More informations about this toot | More toots from nixCraft@mastodon.social
@nixCraft I think it's going over ssh for me.. I only run it on my local machine to upload backups to my remote vps. I am the sole user of both systems, so internal is no threat.
I wonder if I should just remove rsync from my server since I'm not running it there ever!
=> More informations about this toot | More toots from bazkie@beige.party
@nixCraft thanks🙏
=> More informations about this toot | More toots from robchapman@ohai.social
@nixCraft Those @homebrew instructions for #macOS on your web page will not help the circa-2006 #rsync 2.6.9 #Apple pre-installs at /usr/bin/rsync
They probably stopped with that version because it was the last one to be #GPLv2 licensed: https://rsync.samba.org/GPL2.html
Thanks @fsf!
=> More informations about this toot | More toots from mjgardner@social.sdf.org
@mjgardner @nixCraft @homebrew @fsf
Correct. Note that the rsync Apple ships is heavily patched and adds additional functionality that was not available from upstream at the time (https://github.com/apple-oss-distributions/rsync/tree/rsync-91.40.3).
However, I always have MacPorts install the current version. I just opened a ticket to get the port updated to version 3.4.0.
=> More informations about this toot | More toots from schamschula@mastodon.social
@nixCraft done. Thanks!
=> More informations about this toot | More toots from sunscheinwerfer@mastodon.world
@nixCraft or switch to a real OS like Windows 11.
=> More informations about this toot | More toots from cdalten@sfba.social
@nixCraft Ah, that is why rsync popped up in my package manager ( Mint ) to be updated the other day.
=> More informations about this toot | More toots from Methylcobalamin@mastodon.social
@nixCraft I rushed to go and update my #Debian stable server, but wasn't able to because unattended-upgrades had already done so yesterday! 🙃
=> More informations about this toot | More toots from monnier@oldbytes.space
@nixCraft ahh sht, here we go again
=> More informations about this toot | More toots from koratex@urusai.social This content has been proxied by September (3851b).Proxy Information
text/gemini