Alerts This Week
Warning Icon 1 681
Alerts This Week
Warning Icon 1 681

Red Hat Enterprise Linux 6 RHSA-2011:0390-01 Moderate rsync Memory Flaw

Calendar Mar 28, 2011 User Avatar LinuxSecurity Advisories
2 - 4 min read
Redhat Large Esm H500
Topics%20covered

Topics Covered

security advisory moderate security issue update memory flaw rsync red hat enterprise linux
An updated rsync package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: rsync security update
Advisory ID:       RHSA-2011:0390-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2011:0390.html
Issue date:        2011-03-28
CVE Names:         CVE-2011-1097 
====================================================================
1. Summary:

An updated rsync package that fixes one security issue is now available for
Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

3. Description:

rsync is a program for synchronizing files over a network.

A memory corruption flaw was found in the way the rsync client processed
malformed file list data. If an rsync client used the "--recursive" and
"--delete" options without the "--owner" option when connecting to a
malicious rsync server, the malicious server could cause rsync on the
client system to crash or, possibly, execute arbitrary code with the
privileges of the user running rsync. (CVE-2011-1097)

Red Hat would like to thank Wayne Davison and Matt McCutchen for reporting
this issue.

Users of rsync should upgrade to this updated package, which contains a
backported patch to resolve this issue.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

675036 - CVE-2011-1097 rsync: Incremental file-list corruption due to temporary file_extra_cnt increments

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:

i386:
rsync-3.0.6-5.el6_0.1.i686.rpm
rsync-debuginfo-3.0.6-5.el6_0.1.i686.rpm

x86_64:
rsync-3.0.6-5.el6_0.1.x86_64.rpm
rsync-debuginfo-3.0.6-5.el6_0.1.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:

x86_64:
rsync-3.0.6-5.el6_0.1.x86_64.rpm
rsync-debuginfo-3.0.6-5.el6_0.1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:

i386:
rsync-3.0.6-5.el6_0.1.i686.rpm
rsync-debuginfo-3.0.6-5.el6_0.1.i686.rpm

ppc64:
rsync-3.0.6-5.el6_0.1.ppc64.rpm
rsync-debuginfo-3.0.6-5.el6_0.1.ppc64.rpm

s390x:
rsync-3.0.6-5.el6_0.1.s390x.rpm
rsync-debuginfo-3.0.6-5.el6_0.1.s390x.rpm

x86_64:
rsync-3.0.6-5.el6_0.1.x86_64.rpm
rsync-debuginfo-3.0.6-5.el6_0.1.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:

i386:
rsync-3.0.6-5.el6_0.1.i686.rpm
rsync-debuginfo-3.0.6-5.el6_0.1.i686.rpm

x86_64:
rsync-3.0.6-5.el6_0.1.x86_64.rpm
rsync-debuginfo-3.0.6-5.el6_0.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://access.redhat.com/security/cve/CVE-2011-1097
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is .  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFNkNUVXlSAg2UNWIIRAqPZAKCBsYniD5AOg31xXofY4wREt6YRxQCfcWSQ
SQCKJqI+DYNQ2eFq1WPxxLI=v4Qw
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.

Red Hat Enterprise Linux 6 RHSA-2011:0390-01 Moderate rsync Memory Flaw

red hat
Calendar Grey March 28, 2011
Dist Redhat Esm H88
To enhance system security and address a memory vulnerability of moderate severity, ensure that you install the most recent version of the rsync package on Red Hat Enterprise Linux 6.
An updated rsync package that fixes one security issue is now available for Red Hat Enterprise Linux 6

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259

Summary

rsync is a program for synchronizing files over a network.
A memory corruption flaw was found in the way the rsync client processed malformed file list data. If an rsync client used the "--recursive" and "--delete" options without the "--owner" option when connecting to a malicious rsync server, the malicious server could cause rsync on the client system to crash or, possibly, execute arbitrary code with the privileges of the user running rsync. (CVE-2011-1097)
Red Hat would like to thank Wayne Davison and Matt McCutchen for reporting this issue.
Users of rsync should upgrade to this updated package, which contains a backported patch to resolve this issue.

Topics%20covered

Topics Covered

security advisory moderate security issue update memory flaw rsync red hat enterprise linux

References

https://access.redhat.com/security/cve/CVE-2011-1097 https://access.redhat.com/security/updates/classification/#moderate

Package List

Red Hat Enterprise Linux Desktop (v. 6):
Source:
i386: rsync-3.0.6-5.el6_0.1.i686.rpm rsync-debuginfo-3.0.6-5.el6_0.1.i686.rpm
x86_64: rsync-3.0.6-5.el6_0.1.x86_64.rpm rsync-debuginfo-3.0.6-5.el6_0.1.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
x86_64: rsync-3.0.6-5.el6_0.1.x86_64.rpm rsync-debuginfo-3.0.6-5.el6_0.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
i386: rsync-3.0.6-5.el6_0.1.i686.rpm rsync-debuginfo-3.0.6-5.el6_0.1.i686.rpm
ppc64: rsync-3.0.6-5.el6_0.1.ppc64.rpm rsync-debuginfo-3.0.6-5.el6_0.1.ppc64.rpm
s390x: rsync-3.0.6-5.el6_0.1.s390x.rpm rsync-debuginfo-3.0.6-5.el6_0.1.s390x.rpm
x86_64: rsync-3.0.6-5.el6_0.1.x86_64.rpm rsync-debuginfo-3.0.6-5.el6_0.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
i386: rsync-3.0.6-5.el6_0.1.i686.rpm rsync-debuginfo-3.0.6-5.el6_0.1.i686.rpm
x86_64: rsync-3.0.6-5.el6_0.1.x86_64.rpm rsync-debuginfo-3.0.6-5.el6_0.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package


Advisory ID: RHSA-2011:0390-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2011:0390.html
Issue date: 2011-03-28

Topic

An updated rsync package that fixes one security issue is now available forRed Hat Enterprise Linux 6.The Red Hat Security Response Team has rated this update as having moderatesecurity impact. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available from the CVE link inthe References section.

Topics%20covered

Topics Covered

security advisory moderate security issue update memory flaw rsync red hat enterprise linux

Relevant Releases Architectures

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64

Red Hat Enterprise Linux HPC Node (v. 6) - x86_64

Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

Bugs Fixed

675036 - CVE-2011-1097 rsync: Incremental file-list corruption due to temporary file_extra_cnt increments

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here