Stay Secure with the Latest Linux Advisories

security advisoryremote code executionslackware

Slackware: Security Advisory on Rsync Remote Code Execution

There exist several signedness bugs within the rsync program which allow remote attackers to write 0-bytes to almost arbitrary stack-locations, therefore being able to control the programflow and obtaining a shell remotely.. New rsync packages are available to fix a security problem. Here's the information from the Slackware 8.0 ChangeLog: Fri Jan 25 14:25:51 PST 2002 patches/packages/rsync.tgz: Fixed a security hole by upgrading to rsync-2.4.8pre1. This is the relevant information from the rsync NEWS file: SECURITY FIXES: * Signedness security patch from Sebastian Krahmer -- in some cases we were not sufficiently careful about reading integers from the network. (* Security fix *) We recommend that sites providing external rsync access upgrade to the fixed rsync package as soon as possible. WHERE TO FIND THE NEW PACKAGE: ------------------------------ Updated rsync package for Slackware 8.0: Updated rsync package for Slackware 7.1: MD5 SIGNATURE: -------------- Here are the md5sums for the packages: Slackware 8.0: 1e87ef764968bc9da53e38eadf8a7d22 rsync.tgz Slackware 7.1: 294079e04b18dafddee820468aad3a16 rsync.tgz INSTALLATION INSTRUCTIONS: -------------------------- Simply upgrade as root: # upgradepkg rsync.tgz Remember, it's also a good idea to backup configuration files before upgrading packages. - Slackware Linux Security Team The Slackware Linux Project . New modifications to rsync have been deployed to remedy a security flaw. For guidance on installing the most recentversion and information on the upgrade procedure, click here.. rsync Security, Remote Code Execution, Signedness Bugs. . Severity: Critical. LinuxSecurity.com Team

Jan 26, 2002 •Critical Slackware