Nacionalni CERT

Sigurnosni nedostaci programskog paketa rsync

<p>==========================================================================<br />Ubuntu Security Notice USN-3506-1<br />December 07, 2017<br /><br />rsync vulnerabilities<br />==========================================================================<br /><br />A security issue affects these releases of Ubuntu and its derivatives:<br /><br />- Ubuntu 17.10<br />- Ubuntu 17.04<br />- Ubuntu 16.04 LTS<br />- Ubuntu 14.04 LTS<br /><br />Summary:<br /><br />Several security issues were fixed in rsync.<br /><br />Software Description:<br />- rsync: fast, versatile, remote (and local) file-copying tool<br /><br />Details:<br /><br />It was discovered that rsync proceeds with certain file metadata<br />updates before checking for a filename. An attacker could use this to<br />bypass access restrictions. (CVE-2017-17433)<br /><br />It was discovered that rsync does not check for fnamecmp filenames and<br />also does not apply the sanitize_paths protection mechanism to<br />pathnames. An attacker could use this to bypass access restrictions.<br />(CVE-2017-17434)<br /><br />Update instructions:<br /><br />The problem can be corrected by updating your system to the following<br />package versions:<br /><br />Ubuntu 17.10:<br />  rsync                           3.1.2-2ubuntu0.1<br /><br />Ubuntu 17.04:<br />  rsync                           3.1.2-1ubuntu0.1<br /><br />Ubuntu 16.04 LTS:<br />  rsync                           3.1.1-3ubuntu1.1<br /><br />Ubuntu 14.04 LTS:<br />  rsync                           3.1.0-2ubuntu0.3<br /><br />In general, a standard system update will make all the necessary<br />changes.<br /><br />References:<br />  https://www.ubuntu.com/usn/usn-3506-1<br />  CVE-2017-17433, CVE-2017-17434<br /><br />Package Information:<br />  https://launchpad.net/ubuntu/+source/rsync/3.1.2-2ubuntu0.1<br />  https://launchpad.net/ubuntu/+source/rsync/3.1.2-1ubuntu0.1<br />  https://launchpad.net/ubuntu/+source/rsync/3.1.1-3ubuntu1.1<br />  https://launchpad.net/ubuntu/+source/rsync/3.1.0-2ubuntu0.3<br />-----BEGIN PGP SIGNATURE-----<br />Version: GnuPG v2<br /><br />iQIcBAABCAAGBQJaKUNwAAoJEEW851uECx9ptrYP/imwpsEizACWfIkgFSVSFTQ3<br />QaZ+sVed7w3bzuM4PHFhMFQR7jOWdZMQVXMnZOZThZkflITgnaGx8+eZjO4RR9SB<br />oMpI0QDW+vhaXKqvIxCBHu1w8S5aBah0WzYnKFb9RVSMkzB4EtxUwjnk9hGABzY7<br />OpqrHnQ5nIdMA7+aV+E0htALjtDH73p3aYutcZz3qqrr5WKjBJPiBJPBH0rfAdxE<br />aoCI5Tv6LiY6VSoTHYOMdNFW0TlRMu7tC/UKqJbQ2Lcj59VqNSMQ1koszWcwcg0+<br />nRTQ1YTi8ZYB9hHBNvMtW1JrT3h6MLGIE0HW56/YGTv5esTCJpQfNg06JPtaIvsC<br />/gOVpK6AigXWg7HAks4HyJcZzvhNZCYKYlxeR0eq3HnR/rWOnrVIDp3qnPiNUX0Z<br />08f9lxFXIyC5L9EnwAVF/VNoWAtMnJpYSl+g+NXqyNgRCn+3/KNXd7d6oFrbXBO8<br />T8vSV/ZBKHy5Zd7HEXMQeF6sl5N3dEud1zJ3d6t6aPHK7elhwTPfE/6zgz9AEZBb<br />na1lioZ3FPOS8SHvpIFUvgrcvFPwkVQvuRJX3QHUSDO3fK9GJTbo6FTs+5Dlz1H9<br />RSovM2bk1h7DovXbNPZ5zNtNr3WiUWWsWMPZ42/PIVLVNAK6Ld3CXRz8Jc0n3SvM<br />xaSbiq6guasRlP9QGvLR<br />=0Y32<br />-----END PGP SIGNATURE-----<br />-- <br />ubuntu-security-announce mailing list<br />ubuntu-security-announce@lists.ubuntu.com<br />Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce<br /><br /><br />==========================================================================<br />Ubuntu Security Notice USN-3506-2<br />December 07, 2017<br /><br />rsync vulnerabilities<br />==========================================================================<br /><br />A security issue affects these releases of Ubuntu and its derivatives:<br /><br />- Ubuntu 12.04 ESM<br /><br />Summary:<br /><br />Several security issues were fixed in rsync.<br /><br />Software Description:<br />- rsync: fast, versatile, remote (and local) file-copying tool<br /><br />Details:<br /><br />USN-3506-1 fixed two vulnerabilities in rsync. This update provides<br />the corresponding update for Ubuntu 12.04 ESM.<br /><br />Original advisory details:<br /><br /> It was discovered that rsync proceeds with certain file metadata<br /> updates before checking for a filename. An attacker could use this to<br /> bypass access restrictions. (CVE-2017-17433)<br /><br /> It was discovered that rsync does not check for fnamecmp filenames and<br /> also does not apply the sanitize_paths protection mechanism to<br /> pathnames. An attacker could use this to bypass access restrictions.<br /> (CVE-2017-17434)<br /><br />Update instructions:<br /><br />The problem can be corrected by updating your system to the following<br />package versions:<br /><br />Ubuntu 12.04 ESM:<br />  rsync                           3.0.9-1ubuntu1.2<br /><br />In general, a standard system update will make all the necessary<br />changes.<br /><br />References:<br />  https://www.ubuntu.com/usn/usn-3506-2<br />  https://www.ubuntu.com/usn/usn-3506-1<br />  CVE-2017-17433, CVE-2017-17434<br />-----BEGIN PGP SIGNATURE-----<br />Version: GnuPG v2<br /><br />iQIcBAABCAAGBQJaKUv6AAoJEEW851uECx9pZbkP/jdMK8sRC6u8fZwrFr8ylVjq<br />GJXoh3ftERqWzNbPpXrk5hmfM5Rhcy05qaMOXlDUCUjYpn1TTB4yRY0KtYU3w8bH<br />r9k5IcVv/y5NBzvPWyLYV7dKwf+waU0+ekdh7Z2CtNrgzLDLiJCQaJJgnZMVEj8/<br />m1zUc6UbeEAqogWiEb45aDbbm/U8La4VIwT8f2mRbiTvCtGgasivOiqsVAFTKF4C<br />rn9EUP7qiGKL/1ILimzbw3aHgnnpfugmhEJ/4aFDmXSuvpNbAXMobzMtVM8at+l7<br />3H3WZOH+Hn/RbeCIuNmt52ETuYf7r+zk7bz88YCu2Rdmgk3Xjc4Ti0usiN7Y5RbW<br />yIAXDfHiWeIaZL258c2+exXScVYPKTDs1Y2nJxQfUXvNQek89NppTmMmIQKg0EvV<br />S7nXj44yXT7r0L/n1X9kcOZT5AsB9Hb0anSpDXQ/Ur1kl919fovUlvcgzpffqDL2<br />JY5qy2CX1m9w64t1Tn1PYlfkxkaXDdE0iNuaqQYtYwl5DNw4E/UhZ3IUP8rnWPFP<br />8gtkgJDD+w9auMzqz3iUw2CFE1ZAba894cPHQZcK6WDyZpWIMdt45Pvk9Vlq+9pt<br />DjLXVi9p0okpMij4ZL3No7Z5QYYebSnvzqq8Eb36h1vJHSjkxuoHlw+28heUhVJF<br />Q6w4j26+LJ8Kuy+fI81t<br />=8b3c<br />-----END PGP SIGNATURE-----<br />--</p>
Otkriveni su sigurnosni nedostaci u programskom paketu rsync za operacijski sustav Ubuntu. Otkriveni nedostaci potencijalnim napadačima omogućuju zaobilaženje sigurnosnih ograničenja. Savjetuje se ažuriranje izdanim zakrpama.