Ancestors

Written by nixCraft 🐧 on 2025-01-15 at 18:06

The rsync utility in Linux, *BSD, and Unix-like systems are vulnerable to multiple security issues, including arbitrary code execution, arbitrary file upload, information disclosure, and privilege escalation. Hence, you must patch the system ASAP https://www.cyberciti.biz/linux-news/cve-2024-12084-rsyn-security-urgent-update-needed-on-unix-bsd-systems/

[#]infosec #security #linux #unix

=> View attached media

=> More informations about this toot | More toots from nixCraft@mastodon.social

Written by R on 2025-01-15 at 18:10

@nixCraft beware, last version on Ubuntu is super broken https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/2095004

=> More informations about this toot | More toots from foo__@mastodon.social

Written by Fazal Majid on 2025-01-15 at 18:21

@foo__ @nixCraft there is a fix for this (and a few more) by Natanael Copa, the Alpine Linux lead, you can wait for the 3.4.1 release or patch it manually:

https://github.com/RsyncProject/rsync/pull/705

https://github.com/RsyncProject/rsync/issues/699

Given the CVE only occurs if you are running rsync as a daemon rather than over SSH, it's probably less risky to leave it in the unpatched state until a 3.4.1 release is cut and makes its way to Ubuntu.

=> More informations about this toot | More toots from fazalmajid@vivaldi.net

Written by mirabilos on 2025-01-15 at 18:30

@nixCraft @fazalmajid @foo__ I’ve seen at least seven CVEs mentioned in the DSA, but they are all vague whether they affect client or server, and for server, daemon or ssh. 🤬

=> More informations about this toot | More toots from mirabilos@toot.mirbsd.org

Toot

Written by nixCraft 🐧 on 2025-01-15 at 18:34

@mirabilos @fazalmajid @foo__ they affect both server and client. update rsync on both sides.

=> More informations about this toot | More toots from nixCraft@mastodon.social

Descendants

Written by mirabilos on 2025-01-15 at 19:06

@foo__ @nixCraft @fazalmajid that’s a problem for now. It needs to say what where under what scenarios.

=> More informations about this toot | More toots from mirabilos@toot.mirbsd.org

Written by Abimelech B. 🐧🇩🇪| wörk ™️ on 2025-01-15 at 19:43

@nixCraft @mirabilos @fazalmajid @foo__

I only do #rsync via #ssh from my private #linux client to my #selfhosted Linux Server - or use #syncthing which can sync in both directions and with more than only two computers ❤️

=> More informations about this toot | More toots from abimelechbeutelbilch@fulda.social

Written by mirabilos on 2025-01-15 at 19:59

@abimelechbeutelbilch @nixCraft @fazalmajid @foo__ I’m also mostly concerned for anoncvs/anonrsync services and my own use between trusted systems with ssh, for now (anything else will have to wait until mental bandwidth and time).

https://security-tracker.debian.org/tracker/source-package/rsync enumerates all of them pretty well except 2024-12084. Most of them don’t affect my use cases, and if you use --delete-after, --inc-recursive is and must be disabled.

=> More informations about this toot | More toots from mirabilos@toot.mirbsd.org