Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 543
Alerts This Week
Warning Icon 1 543

Debian 8: DLA-1725-1 Critical: Rsync Compliance Issues and Fixes

debian lts
Calendar Grey March 24, 2019
Dist Debian Esm H88
To improve your rsync installation on Debian 8, ensure you update to the latest available version to rectify serious security flaws while also adhering to contemporary C standards.
Trail of Bits used the automated vulnerability discovery tools developed for the DARPA Cyber Grand Challenge to audit zlib

Summary


CVE-2016-9840
In order to avoid undefined behavior, remove offset pointer
optimization, as this is not compliant with the C standard.

CVE-2016-9841
Only use post-increment to be compliant with the C standard.

CVE-2016-9842
In order to avoid undefined behavior, do not shift negative values,
as this is not compliant with the C standard.

CVE-2016-9843
In order to avoid undefined behavior, do not pre-decrement a pointer
in big-endian CRC calculation, as this is not compliant with the
C standard.

CVE-2018-5764
Prevent remote attackers from being able to bypass the
argument-sanitization protection mechanism by ignoring --protect-args
when already sent by client.


For Debian 8 "Jessie", these problems have been fixed in version
3.1.1-3+deb8u2.

We recommend that you upgrade your rsync packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: rsync
Version: 3.1.1-3+deb8u2
CVE ID: CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.