Mailinglist Archive: opensuse-updates (126 mails)

< Previous Next >
openSUSE-SU-2018:0101-1: moderate: Security update for rsync
openSUSE Security Update: Security update for rsync

Announcement ID: openSUSE-SU-2018:0101-1
Rating: moderate
References: #1028842 #1062063 #1066644 #1071459 #1071460
#915410 #999847
Cross-References: CVE-2014-9512 CVE-2017-16548 CVE-2017-17433
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 42.2

An update that solves four vulnerabilities and has three
fixes is now available.


This update for rsync fixes the several issues.

These security issues were fixed:

- CVE-2017-17434: The daemon in rsync did not check for fnamecmp filenames
in the daemon_filter_list data structure (in the recv_files function in
receiver.c) and also did not apply the sanitize_paths protection
mechanism to pathnames found in "xname follows" strings (in the
read_ndx_and_attrs function in rsync.c), which allowed remote attackers
to bypass intended access restrictions" (bsc#1071460).
- CVE-2017-17433: The recv_files function in receiver.c in the daemon in
rsync, proceeded with certain file metadata updates before checking for
a filename in the daemon_filter_list data structure, which allowed
remote attackers to bypass intended access restrictions (bsc#1071459).
- CVE-2017-16548: The receive_xattr function in xattrs.c in rsync did not
check for a trailing '\\0' character in an xattr name, which allowed
remote attackers to cause a denial of service (heap-based buffer
over-read and application crash) or possibly have unspecified other
impact by sending crafted data to the daemon (bsc#1066644).
- CVE-2014-9512: Prevent attackers to write to arbitrary files via a
symlink attack on a file in the synchronization path (bsc#915410).

These non-security issues were fixed:

- Stop file upload after errors like a full disk (boo#1062063)
- Ensure -X flag works even when setting owner/group (boo#1028842)

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-34=1

- openSUSE Leap 42.2:

zypper in -t patch openSUSE-2018-34=1

To bring your system up-to-date, use "zypper patch".

Package List:

- openSUSE Leap 42.3 (i586 x86_64):


- openSUSE Leap 42.2 (i586 x86_64):



< Previous Next >
This Thread
  • No further messages