Explore top 10 tips to secure your open-source projects now. Read More
×
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-19368 http://linux.oracle.com/errata/ELSA-2026-19368.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: rsync-3.2.5-7.el9_8.2.x86_64.rpm rsync-daemon-3.2.5-7.el9_8.2.noarch.rpm rsync-rrsync-3.2.5-7.el9_8.2.noarch.rpm aarch64: rsync-3.2.5-7.el9_8.2.aarch64.rpm rsync-daemon-3.2.5-7.el9_8.2.noarch.rpm rsync-rrsync-3.2.5-7.el9_8.2.noarch.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/rsync-3.2.5-7.el9_8.2.src.rpm Related CVEs: CVE-2024-12086 CVE-2026-41035 Description of changes: [3.2.5-7.2] - Fix integer overflow in compressed-token decoding (CVE-2026-43618) - Resolves: RHEL-174932 [3.2.5-7.1] - Fix TOCTOU symlink race in daemon no-chroot mode (CVE-2026-29518) - Resolves: RHEL-174952 [3.2.5-4] - Resolves: RHEL-104404 - Do not clear DISPLAY unconditionally _______________________________________________ El-errata mailing list
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-26410 http://linux.oracle.com/errata/ELSA-2026-26410.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: rsync-3.2.5-7.el9_8.2.x86_64.rpm rsync-daemon-3.2.5-7.el9_8.2.noarch.rpm rsync-rrsync-3.2.5-7.el9_8.2.noarch.rpm aarch64: rsync-3.2.5-7.el9_8.2.aarch64.rpm rsync-daemon-3.2.5-7.el9_8.2.noarch.rpm rsync-rrsync-3.2.5-7.el9_8.2.noarch.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/rsync-3.2.5-7.el9_8.2.src.rpm Related CVEs: CVE-2026-29518 CVE-2026-43618 Description of changes: [3.2.5-7.2] - Fix integer overflow in compressed-token decoding (CVE-2026-43618) - Resolves: RHEL-174932 [3.2.5-7.1] - Fix TOCTOU symlink race in daemon no-chroot mode (CVE-2026-29518) - Resolves: RHEL-174952 [3.2.5-4] - Resolves: RHEL-104404 - Do not clear DISPLAY unconditionally _______________________________________________ El-errata mailing list
New version 3.4.4 with multiple regression fixes. This update also fixes the following CVEs: CVE-2026-29518 CVE-2026-43617 CVE-2026-43618 CVE-2026-43619 CVE-2026-43620 CVE-2026-45232. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-a04e445b3f 2026-06-26 01:14:26.672392+00:00 -------------------------------------------------------------------------------- Name : rsync Product : Fedora 43 Version : 3.4.4 Release : 1.fc43 URL : https://rsync.samba.org/ Summary : A program for synchronizing files over a network Description : Rsync uses a reliable algorithm to bring remote and host files into sync very quickly. Rsync is fast because it just sends the differences in the files over the network instead of sending the complete files. Rsync is often used as a very powerful mirroring process or just as a more capable replacement for the rcp command. A technical report which describes the rsync algorithm is included in this package. -------------------------------------------------------------------------------- Update Information: New version 3.4.4 with multiple regression fixes. This update also fixes the following CVEs: CVE-2026-29518 CVE-2026-43617 CVE-2026-43618 CVE-2026-43619 CVE-2026-43620 CVE-2026-45232 -------------------------------------------------------------------------------- ChangeLog: * Mon Jun 8 2026 Michal Ruprich - 3.4.4-1 - New version 3.4.4 * Fri May 29 2026 Michal Ruprich - 3.4.3-1 - New version 3.4.3 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2463360 - rsync-3.4.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=2463360 [ 2 ] Bug #2480388 - CVE-2026-45232 rsync: Rsync: Denial of Service via malformed HTTP proxy response [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2480388 [ 3 ] Bug #2486185 - rsync-3.4.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=2486185 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-a04e445b3f' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Important: rsync security, bug fix, and enhancement update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2026:26332", "synopsis": "Important: rsync security, bug fix, and enhancement update", "severity": "SEVERITY_IMPORTANT", "topic": "An update is available for rsync.\nThis update affects Rocky Linux 10.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool.\n\nSecurity Fix(es):\n\n* rsync: rsync: Remote memory disclosure via integer overflow in compressed-token decoding (CVE-2026-43618)\n\n* rsync: TOCTOU symlink race condition allowing local privilege escalation in daemon mode without chroot. (CVE-2026-29518)\n\nBug Fix(es) and Enhancement(s):\n\n* Rebase rsync to version 3.4.4 in Rocky Linux10 (JIRA:Rocky Linux-181630)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "solution": null, "affectedProducts": ["Rocky Linux 10"], "fixes": [{"ticket": "2469054", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2469054", "description": ""}, {"ticket": "2469055", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2469055", "description": ""}], "cves": [{"name": "CVE-2026-29518", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-29518", "cvss3ScoringVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "cvss3BaseScore": "7.8", "cwe": "CWE-367"}, {"name": "CVE-2026-43618", "sourceBy": "MITRE", "sourceLink":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43618", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "cvss3BaseScore": "8.1", "cwe": "CWE-190"}], "references": [], "publishedAt": "2026-06-19T06:04:41.448408Z", "rpms": {"Rocky Linux 10": {"nvras": ["rsync-debugsource-0:3.4.4-1.el10_2.s390x.rpm", "rsync-0:3.4.4-1.el10_2.aarch64.rpm", "rsync-daemon-0:3.4.4-1.el10_2.noarch.rpm", "rsync-0:3.4.4-1.el10_2.s390x.rpm", "rsync-0:3.4.4-1.el10_2.ppc64le.rpm", "rsync-debugsource-0:3.4.4-1.el10_2.ppc64le.rpm", "rsync-debuginfo-0:3.4.4-1.el10_2.aarch64.rpm", "rsync-rrsync-0:3.4.4-1.el10_2.noarch.rpm", "rsync-0:3.4.4-1.el10_2.x86_64.rpm", "rsync-debugsource-0:3.4.4-1.el10_2.aarch64.rpm", "rsync-debuginfo-0:3.4.4-1.el10_2.x86_64.rpm", "rsync-debuginfo-0:3.4.4-1.el10_2.s390x.rpm", "rsync-debugsource-0:3.4.4-1.el10_2.x86_64.rpm", "rsync-0:3.4.4-1.el10_2.src.rpm", "rsync-debuginfo-0:3.4.4-1.el10_2.ppc64le.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. Important rsync security update fixes remote memory disclosure and local privilege escalation issues in Rocky Linux 10.. rsync security update, important rsync update, local privilege escalation, remote access exploit, rocky linux advisory. . Severity: Important. LinuxSecurity.com Team
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-26408 http://linux.oracle.com/errata/ELSA-2026-26408.html The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: x86_64: rsync-3.1.3-27.el8_10.x86_64.rpm rsync-daemon-3.1.3-27.el8_10.noarch.rpm aarch64: rsync-3.1.3-27.el8_10.aarch64.rpm rsync-daemon-3.1.3-27.el8_10.noarch.rpm SRPMS: http://oss.oracle.com/ol8/SRPMS-updates/rsync-3.1.3-27.el8_10.src.rpm Related CVEs: CVE-2026-29518 CVE-2026-43618 Description of changes: [3.1.3-27] - Integer overflow in compressed-token decoding (CVE-2026-43618) - Resolves: RHEL-174951 [3.1.3-26] - Resolves: RHEL-174950 - CVE-2026-29518 - TOCTOU symlink race in non-chrooted daemon modules _______________________________________________ El-errata mailing list
Important: rsync security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2026:26410", "synopsis": "Important: rsync security update", "severity": "SEVERITY_IMPORTANT", "topic": "An update is available for rsync.\nThis update affects Rocky Linux 9.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool.\n\nSecurity Fix(es):\n\n* rsync: rsync: Remote memory disclosure via integer overflow in compressed-token decoding (CVE-2026-43618)\n\n* rsync: TOCTOU symlink race condition allowing local privilege escalation in daemon mode without chroot. (CVE-2026-29518)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "solution": null, "affectedProducts": ["Rocky Linux 9"], "fixes": [{"ticket": "2469054", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2469054", "description": ""}, {"ticket": "2469055", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2469055", "description": ""}], "cves": [{"name": "CVE-2026-29518", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-29518", "cvss3ScoringVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "cvss3BaseScore": "7.8", "cwe": "CWE-367"}, {"name": "CVE-2026-43618", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43618", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "cvss3BaseScore": "8.1", "cwe": "CWE-190"}], "references": [], "publishedAt":"2026-06-17T12:03:08.073041Z", "rpms": {"Rocky Linux 9": {"nvras": ["rsync-daemon-0:3.2.5-7.el9_8.2.noarch.rpm", "rsync-debuginfo-0:3.2.5-7.el9_8.2.aarch64.rpm", "rsync-debuginfo-0:3.2.5-7.el9_8.2.ppc64le.rpm", "rsync-debuginfo-0:3.2.5-7.el9_8.2.s390x.rpm", "rsync-debuginfo-0:3.2.5-7.el9_8.2.x86_64.rpm", "rsync-debugsource-0:3.2.5-7.el9_8.2.aarch64.rpm", "rsync-0:3.2.5-7.el9_8.2.aarch64.rpm", "rsync-0:3.2.5-7.el9_8.2.ppc64le.rpm", "rsync-0:3.2.5-7.el9_8.2.s390x.rpm", "rsync-0:3.2.5-7.el9_8.2.src.rpm", "rsync-0:3.2.5-7.el9_8.2.x86_64.rpm", "rsync-debugsource-0:3.2.5-7.el9_8.2.ppc64le.rpm", "rsync-debugsource-0:3.2.5-7.el9_8.2.s390x.rpm", "rsync-debugsource-0:3.2.5-7.el9_8.2.x86_64.rpm", "rsync-rrsync-0:3.2.5-7.el9_8.2.noarch.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. Explore the important rsync security update for Rocky Linux 9 to mitigate critical risks from vulnerabilities.. rsync update, Rocky Linux, security advisory, important, remote access issues. . Severity: Important. LinuxSecurity.com Team
USN-8349-1 introduced regressions in rsync.. ========================================================================== Ubuntu Security Notice USN-8349-3 June 16, 2026 rsync regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: USN-8349-1 introduced regressions in rsync. Software Description: - rsync: fast, versatile, remote (and local) file-copying tool Details: USN-8349-1 fixed vulnerabilities in rsync. Unfortunately that update introduced multiple regressions in rsync functionality. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Calum Hutton discovered that rsync contained a heap-based out-of-bounds read when handling file transfers. A remote attacker with read access to an rsync server could possibly use this issue to cause a denial of service. (CVE-2025-10158) Batuhan Sancak, Damien Neil, and Michael Stapelberg discovered that rsync daemons configured without chroot protection were exposed to a race condition on parent path components. A local attacker with write access to a module could possibly use this issue to overwrite files, obtain sensitive information, or escalate privileges. (CVE-2026-29518) It was discovered that rsync did not properly validate a length value while sorting extended attributes. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-41035) It was discovered that rsync performed reverse-DNS lookups after chrooting in some daemon configurations. A remote attacker could possibly use this issue to bypass hostname-based access controls and access network services. (CVE-2026-43617) Omar Elsayed discovered that rsync did not properly check for integer overflows while decoding compressed tokens. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-43618) Andrew Tridgell discovered that rsync did not fully fix a symlink race condition in path-based system calls for daemons configured without chroot protection. A local attacker could possibly use this issue to overwrite files, obtain sensitive information, or escalate privileges. (CVE-2026-43619) Pratham Gupta discovered that rsync did not properly validate an index while processing file lists. A remote attacker could possibly use this issue to cause rsync to crash, resulting in a denial of service. (CVE-2026-43620) Michal Ruprich discovered that rsync contained an off-by-one error while handling HTTP proxy responses. An attacker able to intercept network communications or a malicious proxy server could possibly use this issue to cause a denial of service. (CVE-2026-45232) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS rsync 3.1.3-8ubuntu0.9+esm2 Available with Ubuntu Pro Ubuntu 18.04 LTS rsync 3.1.2-2.1ubuntu1.6+esm4 Available with Ubuntu Pro Ubuntu 16.04 LTS rsync 3.1.1-3ubuntu1.3+esm6 Available with Ubuntu Pro Ubuntu 14.04 LTS rsync 3.1.0-2ubuntu0.4+esm4 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. After a standard system update you need to restart rsync daemons to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8349-3 https://ubuntu.com/security/notices/USN-8349-2 https://ubuntu.com/security/notices/USN-8349-1 https://launchpad.net/bugs/2155874 . Critical updates with fixes for rsync regressions in Ubuntu 20.04 to 14.04 LTS addressing security issues.. rsync updates, Ubuntu security, rsync patch, system updates, security issues. . Severity: Important.LinuxSecurity.com Team
An update that solves eight vulnerabilities can now be installed.. # Security update for rsync Announcement ID: SUSE-SU-2026:22015-1 Release Date: 2026-06-02T09:13:41Z Rating: important References: * bsc#1254441 * bsc#1262223 * bsc#1264511 * bsc#1264512 * bsc#1264513 * bsc#1264514 * bsc#1264515 * bsc#1265296 Cross-References: * CVE-2025-10158 * CVE-2026-29518 * CVE-2026-41035 * CVE-2026-43617 * CVE-2026-43618 * CVE-2026-43619 * CVE-2026-43620 * CVE-2026-45232 CVSS scores: * CVE-2025-10158 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N * CVE-2025-10158 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N * CVE-2026-29518 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-29518 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-29518 ( NVD ): 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-29518 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-41035 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-41035 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2026-41035 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-41035 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L * CVE-2026-43617 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-43617 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2026-43617 ( NVD ): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-43617 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2026-43618 ( SUSE ): 6.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-43618 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H * CVE-2026-43618 ( NVD ): 6.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-43618 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H * CVE-2026-43619 ( SUSE ): 7.2 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-43619 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-43619 ( NVD ): 7.2 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-43619 ( NVD ): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-43620 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-43620 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-43620 ( NVD ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-43620 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-43620 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-45232 ( SUSE ): 2.1 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2026-45232 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L * CVE-2026-45232 ( NVD ): 2.1 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-45232 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-45232 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L Affected Products: * SUSE LinuxEnterprise Server 16.0 * SUSE Linux Enterprise Server for SAP applications 16.0 An update that solves eight vulnerabilities can now be installed. ## Description: This update for rsync fixes the following issues * CVE-2025-10158: Out of bounds array access via negative index (bsc#1254441). * CVE-2026-29518: Symlink-Race TOCTOU in Daemon (use chroot = no) (bsc#1264511). * CVE-2026-41035: count of entries mismatch can lead to a use-after-free (bsc#1262223). * CVE-2026-43617: Authorization Bypass via Hostname Resolution (bsc#1264515). * CVE-2026-43618: Integer Overflow Information Disclosure (bsc#1264512). * CVE-2026-43619: Symlink Race Condition via Path-Based Syscalls (bsc#1264514). * CVE-2026-43620: Out-of-Bounds Array Read via recv_files() (bsc#1264513). * CVE-2026-45232: Off-by-one stack OOB write in HTTP CONNECT proxy response parsing (bsc#1265296). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server 16.0 zypper in -t patch SUSE-SLES-16.0-867=1 * SUSE Linux Enterprise Server for SAP applications 16.0 zypper in -t patch SUSE-SLES-16.0-867=1 ## Package List: * SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64) * rsync-debugsource-3.4.1-160000.4.1 * rsync-3.4.1-160000.4.1 * rsync-debuginfo-3.4.1-160000.4.1 * SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64) * rsync-debugsource-3.4.1-160000.4.1 * rsync-3.4.1-160000.4.1 * rsync-debuginfo-3.4.1-160000.4.1 ## References: * https://www.suse.com/security/cve/CVE-2025-10158.html * https://www.suse.com/security/cve/CVE-2026-29518.html * https://www.suse.com/security/cve/CVE-2026-41035.html * https://www.suse.com/security/cve/CVE-2026-43617.html * https://www.suse.com/security/cve/CVE-2026-43618.html *https://www.suse.com/security/cve/CVE-2026-43619.html * https://www.suse.com/security/cve/CVE-2026-43620.html * https://www.suse.com/security/cve/CVE-2026-45232.html * https://bugzilla.suse.com/show_bug.cgi?id=1254441 * https://bugzilla.suse.com/show_bug.cgi?id=1262223 * https://bugzilla.suse.com/show_bug.cgi?id=1264511 * https://bugzilla.suse.com/show_bug.cgi?id=1264512 * https://bugzilla.suse.com/show_bug.cgi?id=1264513 * https://bugzilla.suse.com/show_bug.cgi?id=1264514 * https://bugzilla.suse.com/show_bug.cgi?id=1264515 * https://bugzilla.suse.com/show_bug.cgi?id=1265296 . SUSE updates to fix rsync issues, addressing eight vulnerabilities including important fix for use-after-free.. SUSE Linux, rsync updates, security issues, patch management, Linux updates. . Severity: Important. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.