UbuntuUpdates.org

Package "rsync"

Name: rsync

Description:

fast, versatile, remote (and local) file-copying tool

Latest version: 3.1.1-3ubuntu1.3
Release: xenial (16.04)
Level: security
Repository: main
Homepage: http://rsync.samba.org/

Links


Download "rsync"


Other versions of "rsync" in Xenial

Repository Area Version
base main 3.1.1-3ubuntu1
updates main 3.1.1-3ubuntu1.3

Changelog

Version: 3.1.1-3ubuntu1.3 2020-02-25 02:07:07 UTC

  rsync (3.1.1-3ubuntu1.3) xenial-security; urgency=medium

  * SECURITY UPDATE: improper pointer arithmetic might allow
    context-dependent attackers to have unspecified impact
    - debian/patches/CVE-2016-9840.patch: remove offset pointer optimization
      in inftrees.c.
    - CVE-2016-9840
  * SECURITY UPDATE: improper pointer arithmetic might allow
    context-dependent attackers to have unspecified impact
    - debian/patches/CVE-2016-9841.patch: use post-increment only in inffast.c.
    - CVE-2016-9841
  * SECURITY UPDATE: vectors involving left shifts of negative integers might
    allow context-dependent attackers to have unspecified impact
    - debian/patches/CVE-2016-9842_1.patch: avoid shifts of negative values in
      inflateMark().
    - debian/patches/CVE-2016-9842_2.patch: avoid casting an out-of-range
      value to long.
    - CVE-2016-9842
  * SECURITY UPDATE: vectors involving big-endian CRC calculation might allow
    context-dependent attackers to have unspecified impact
    - debian/patches/CVE-2016-9843.patch: avoid pre-decrement of pointer in
      big-endian CRC calculation.
    - CVE-2016-9843

 -- Avital Ostromich <email address hidden> Thu, 13 Feb 2020 17:48:27 -0500

Source diff to previous version
CVE-2016-9840 inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVE-2016-9841 inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVE-2016-9842 The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shi
CVE-2016-9843 The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian C

Version: 3.1.1-3ubuntu1.2 2018-01-23 17:06:33 UTC

  rsync (3.1.1-3ubuntu1.2) xenial-security; urgency=medium

  * SECURITY UPDATE: receive_xattr function does not check
    for '\0' character allowing denial of service attacks
    - debian/patches/CVE-2017-16548.patch: enforce trailing
      \0 when receiving xattr values in xattrs.c.
    - CVE-2017-16548
  * SECURITY UPDATE: Allows remote attacker to bypass argument
    - debian/patches/CVE-2018-5764.patch: Ignore --protect-args
      when already sent by client in options.c.
    - CVE-2018-5764

 -- <email address hidden> (Leonidas S. Barbosa) Thu, 18 Jan 2018 17:27:59 -0300

Source diff to previous version
CVE-2017-16548 The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allo
CVE-2018-5764 The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attacker

Version: 3.1.1-3ubuntu1.1 2017-12-07 14:06:43 UTC

  rsync (3.1.1-3ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: bypass intended access restrictions
    - debian/patches/CVE-2017-17433.patch: check fname in
      recv_files sooner in receiver.c.
    - CVE-2017-17433
  * SECURITY UPDATE: not check for fnamecmp filenames and
    does not apply sanitize_paths
    - debian/patches/CVE-2017-17434-part1.patch: check daemon
      filter against fnamecmp in receiver.c.
    - debian/patches/CVE-2017-17434-part2.patch: sanitize xname
      in rsync.c.
    - CVE-2017-17434

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 06 Dec 2017 11:07:22 -0300

CVE-2017-17433 The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-11-03, proceeds with certain file metadata upda
CVE-2017-17434 The daemon in rsync 3.1.2, and 3.1.3-development before 2017-11-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (i



About   -   Send Feedback to @ubuntu_updates