Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -5 articles for you...
89
security advisorysoftware updateFedoraFedora 40: FEDORA-2025-b28759cb95 critical: rsync 3.4.1 security update
New version 3.4.1, a couple of fixes for the 3.4.0 release.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-b28759cb95 2025-01-25 02:56:47.361039+00:00 -------------------------------------------------------------------------------- Name : rsync Product : Fedora 40 Version : 3.4.1 Release : 1.fc40 URL : Summary : A program for synchronizing files over a network Description : Rsync uses a reliable algorithm to bring remote and host files into sync very quickly. Rsync is fast because it just sends the differences in the files over the network instead of sending the complete files. Rsync is often used as a very powerful mirroring process or just as a more capable replacement for the rcp command. A technical report which describes the rsync algorithm is included in this package. -------------------------------------------------------------------------------- Update Information: New version 3.4.1, a couple of fixes for the 3.4.0 release. -------------------------------------------------------------------------------- ChangeLog: * Thu Jan 16 2025 Michal Ruprich - 3.4.1-0 - New version 3.4.1 - a couple of minor fixes for 3.4.0 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2338383 - rsync-3.4.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2338383 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-b28759cb95' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Jan 25, 2025
•Critical
Fedora
89
security advisoryFedoraDoS attackFedora 21: 2015-5830 Critical: NTP Authentication DoS Mitigation
Security fix for CVE-2015-1799, CVE-2015-1798, #1210324. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-5830 2015-04-09 04:57:43 -------------------------------------------------------------------------------- Name : ntp Product : Fedora 21 Version : 4.2.6p5 Release : 30.fc21 URL : http://www.ntp.org Summary : The NTP daemon and utilities Description : The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. This package includes ntpd (a daemon which continuously adjusts system time) and utilities used to query and configure the ntpd daemon. Perl scripts ntp-wait and ntptrace are in the ntp-perl package, ntpdate is in the ntpdate package and sntp is in the sntp package. The documentation is in the ntp-doc package. -------------------------------------------------------------------------------- Update Information: Security fix for CVE-2015-1799, CVE-2015-1798, #1210324 -------------------------------------------------------------------------------- ChangeLog: * Tue Apr 14 2015 Miroslav Lichvar 4.2.6p5-30 - fix generation of MD5 keys with ntp-keygen on big-endian systems (#1210324) * Wed Apr 8 2015 Miroslav Lichvar 4.2.6p5-29 - reject packets without MAC when authentication is enabled (CVE-2015-1798) - protect symmetric associations with symmetric key against DoS attack (CVE-2015-1799) * Thu Feb 26 2015 Miroslav Lichvar 4.2.6p5-28 - don't step clock for leap second with -x option (#1196635) - allow creating all SHM segments with owner-only access - allow symmetric keys up to 32 bytes again - use larger RSA exponent in ntp-keygen - fix crash in ntpq mreadvar command - don't drop packets with source port below 123 - increase memlock limit again - fix typos in ntpd man page - improve documentation of restrict command * Thu Feb 5 2015 Miroslav Lichvar 4.2.6p5-27 - validate lengths of values in extension fields (CVE-2014-9297) - drop packets withspoofed source address ::1 (CVE-2014-9298) * Thu Jan 29 2015 Miroslav Lichvar 4.2.6p5-26 - require timedatex (#1136905) * Fri Dec 19 2014 Miroslav Lichvar 4.2.6p5-25 - don't generate weak control key for resolver (CVE-2014-9293) - don't generate weak MD5 keys in ntp-keygen (CVE-2014-9294) - fix buffer overflows via specially-crafted packets (CVE-2014-9295) - don't mobilize passive association when authentication fails (CVE-2014-9296) * Tue Nov 4 2014 Miroslav Lichvar 4.2.6p5-24 - use network-online target in ntpdate and sntp services (#1116474) - move sntp kod database to allow SELinux labeling -------------------------------------------------------------------------------- References: [ 1 ] Bug #1199435 - CVE-2015-1799 ntp: authentication doesn't protect symmetric associations against DoS attacks https://bugzilla.redhat.com/show_bug.cgi?id=1199435 [ 2 ] Bug #1199430 - CVE-2015-1798 ntp: ntpd accepts unauthenticated packets with symmetric key crypto https://bugzilla.redhat.com/show_bug.cgi?id=1199430 [ 3 ] Bug #1210324 - CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems https://bugzilla.redhat.com/show_bug.cgi?id=1210324 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update ntp' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
Apr 28, 2015
•Critical
Fedora
98
security advisorymoderatesecurity issueRed Hat 5: RHSA-2011:0999-01 Moderate: rsync Security Issue
An updated rsync package that fixes one security issue, several bugs, and adds enhancements is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Moderate: rsync security, bug fix, and enhancement update Advisory ID: RHSA-2011:0999-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2011:0999.html Issue date: 2011-07-21 CVE Names: CVE-2007-6200 ==================================================================== 1. Summary: An updated rsync package that fixes one security issue, several bugs, and adds enhancements is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: rsync is a program for synchronizing files over a network. A flaw was found in the way the rsync daemon handled the "filter", "exclude", and "exclude from" options, used for hiding files and preventing access to them from rsync clients. A remote attacker could use this flaw to bypass those restrictions by using certain command line options and symbolic links, allowing the attacker to overwrite those files if they knew their file names and had write access to them. (CVE-2007-6200) Note: This issue only affected users running rsync as a writable daemon: "read only" set to "false" in the rsync configuration file (for example, "/etc/rsyncd.conf"). By default, this option is set to "true". This update also fixes the following bugs: * Thersync package has been upgraded to upstream version 3.0.6, which provides a number of bug fixes and enhancements over the previous version. (BZ#339971) * When running an rsync daemon that was receiving files, a deferred info, error or log message could have been sent directly to the sender instead of being handled by the "rwrite()" function in the generator. Also, under certain circumstances, a deferred info or error message from the receiver could have bypassed the log file and could have been sent only to the client process. As a result, an "unexpected tag 3" fatal error could have been displayed. These problems have been fixed in this update so that an rsync daemon receiving files now works as expected. (BZ#471182) * Prior to this update, the rsync daemon called a number of timezone-using functions after doing a chroot. As a result, certain C libraries were unable to generate proper timestamps from inside a chrooted daemon. This bug has been fixed in this update so that the rsync daemon now calls the respective timezone-using functions prior to doing a chroot, and proper timestamps are now generated as expected. (BZ#575022) * When running rsync under a non-root user with the "-A" ("--acls") option and without using the "--numeric-ids" option, if there was an Access Control List (ACL) that included a group entry for a group that the respective user was not a member of on the receiving side, the "acl_set_file()" function returned an invalid argument value ("EINVAL"). This was caused by rsync mistakenly mapping the group name to the Group ID "GID_NONE" ("-1"), which failed. The bug has been fixed in this update so that no invalid argument is returned and rsync works as expected. (BZ#616093) * When creating a sparse file that was zero blocks long, the "rsync - --sparse" command did not properly truncate the sparse file at the end of the copy transaction. As a result, the file size was bigger than expected. This bug has been fixed in this update by properly truncating the file so that rsync now copies suchfiles as expected. (BZ#530866) * Under certain circumstances, when using rsync in daemon mode, rsync generator instances could have entered an infinitive loop, trying to write an error message for the receiver to an invalid socket. This problem has been fixed in this update by adding a new sibling message: when the receiver is reporting a socket-read error, the generator will notice this fact and avoid writing an error message down the socket, allowing it to close down gracefully when the pipe from the receiver closes. (BZ#690148) * Prior to this update, there were missing deallocations found in the "start_client()" function. This bug has been fixed in this update and no longer occurs. (BZ#700450) All users of rsync are advised to upgrade to this updated package, which resolves these issues and adds enhancements. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 339971 - [RFE] Rebase rsync packages to version 3 407171 - CVE-2007-6200 rsync excluded content access restrictions bypass via symlinks 471182 - rsync errors: unexpected tag 3 [sender] 530866 - rsync --sparse does not properly copy sparse files 575022 - rsyncd gets confused with timezones when logging to syslog 616093 - EINVAL (Invalid argument) setting group --acls 690148 - Rsync instances stay in memory when using in daemon mode 700450 - Resource leaks revealed by Coverity scan. 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: i386: rsync-3.0.6-4.el5.i386.rpm rsync-debuginfo-3.0.6-4.el5.i386.rpm x86_64: rsync-3.0.6-4.el5.x86_64.rpm rsync-debuginfo-3.0.6-4.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5server): Source: i386: rsync-3.0.6-4.el5.i386.rpm rsync-debuginfo-3.0.6-4.el5.i386.rpm ia64: rsync-3.0.6-4.el5.ia64.rpm rsync-debuginfo-3.0.6-4.el5.ia64.rpm ppc: rsync-3.0.6-4.el5.ppc.rpm rsync-debuginfo-3.0.6-4.el5.ppc.rpm s390x: rsync-3.0.6-4.el5.s390x.rpm rsync-debuginfo-3.0.6-4.el5.s390x.rpm x86_64: rsync-3.0.6-4.el5.x86_64.rpm rsync-debuginfo-3.0.6-4.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2007-6200 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2011 Red Hat, Inc. . An update for Rsync in RHEL 5 has been released to resolve moderate security vulnerabilities and fix existing bugs, incorporating various enhancements.. Rsync Security Update, RHEL 5, Bug Fixes, Network Synchronization. . LinuxSecurity.com Team
Jul 21, 2011
Red Hat
98
security advisoryRed HatcriticalRed Hat: RHSA-2004:436-01 Critical: rsync Path Sanitization Issue
An updated rsync package that fixes a path sanitizing bug is now available.. --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated rsync package fixes security issue Advisory ID: RHSA-2004:436-01 Issue date: 2004-09-01 Updated on: 2004-09-01 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0792 --------------------------------------------------------------------- 1. Summary: An updated rsync package that fixes a path sanitizing bug is now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: The rsync program synchronizes files over a network. Versions of rsync up to and including version 2.6.2 contain a path sanitization issue. This issue could allow an attacker to read or write files outside of the rsync directory. This vulnerability is only exploitable when an rsync server is enabled and is not running within a chroot. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0792 to this issue. Users of rsync are advised to upgrade to this updated package, which contains a backported patch and is not affected by this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the followingWeb page for the System Administration or Customization guide specific to your system: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 130050 - rsync path sanitizing bug 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: 38c1f184d5cc84489a573e904c6e7988 rsync-2.5.7-3.21AS.1.src.rpm i386: ded5b61ac737f3c1c61dc8b9335c207e rsync-2.5.7-3.21AS.1.i386.rpm ia64: fa113cb18579a3d71d021ef4674deffa rsync-2.5.7-3.21AS.1.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: 38c1f184d5cc84489a573e904c6e7988 rsync-2.5.7-3.21AS.1.src.rpm ia64: fa113cb18579a3d71d021ef4674deffa rsync-2.5.7-3.21AS.1.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: 38c1f184d5cc84489a573e904c6e7988 rsync-2.5.7-3.21AS.1.src.rpm i386: ded5b61ac737f3c1c61dc8b9335c207e rsync-2.5.7-3.21AS.1.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: 38c1f184d5cc84489a573e904c6e7988 rsync-2.5.7-3.21AS.1.src.rpm i386: ded5b61ac737f3c1c61dc8b9335c207e rsync-2.5.7-3.21AS.1.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: a08f47856c11488dbb199e2960618439 rsync-2.5.7-5.3E.src.rpm i386: d0966ec43976699f3ae0c275fdcd066f rsync-2.5.7-5.3E.i386.rpm ia64: 7a4ead9d5e1d755b453a8b5a2964eb75 rsync-2.5.7-5.3E.ia64.rpm ppc: 8a771ecf22666ed3f3de2af94ff0059b rsync-2.5.7-5.3E.ppc.rpm ppc64: cacc25c9afc8a5256204725597295be3 rsync-2.5.7-5.3E.ppc64.rpm s390: c4227c768095dd4f4c62f5b6eb7abe8c rsync-2.5.7-5.3E.s390.rpm s390x: 16177f1105d0bff168394b84e9ce187a rsync-2.5.7-5.3E.s390x.rpm x86_64: d0b5238572ed1d2b26102a8f7be694c4 rsync-2.5.7-5.3E.x86_64.rpm Red Hat Desktop version 3: SRPMS: a08f47856c11488dbb199e2960618439 rsync-2.5.7-5.3E.src.rpm i386: d0966ec43976699f3ae0c275fdcd066f rsync-2.5.7-5.3E.i386.rpm x86_64: d0b5238572ed1d2b26102a8f7be694c4 rsync-2.5.7-5.3E.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: a08f47856c11488dbb199e2960618439 rsync-2.5.7-5.3E.src.rpm i386: d0966ec43976699f3ae0c275fdcd066f rsync-2.5.7-5.3E.i386.rpm ia64: 7a4ead9d5e1d755b453a8b5a2964eb75 rsync-2.5.7-5.3E.ia64.rpm x86_64: d0b5238572ed1d2b26102a8f7be694c4 rsync-2.5.7-5.3E.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: a08f47856c11488dbb199e2960618439 rsync-2.5.7-5.3E.src.rpm i386: d0966ec43976699f3ae0c275fdcd066f rsync-2.5.7-5.3E.i386.rpm ia64: 7a4ead9d5e1d755b453a8b5a2964eb75 rsync-2.5.7-5.3E.ia64.rpm x86_64: d0b5238572ed1d2b26102a8f7be694c4 rsync-2.5.7-5.3E.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from 7. References: / https://www.cve.org/CVERecord?id=CVE-CAN-2004-0792 8. Contact: The Red Hat security contact is
Sep 01, 2004
•Critical
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!