Your message dated Tue, 16 Aug 2022 11:45:20 +0000
with message-id <[email protected]>
and subject line Bug#1016543: fixed in rsync 3.2.5-1
has caused the Debian Bug report #1016543,
regarding rsync: CVE-2022-29154
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1016543: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016543
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rsync
Version: 3.2.4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rsync.
CVE-2022-29154[0]:
| An issue was discovered in rsync before 3.2.5 that allows malicious
| remote servers to write arbitrary files inside the directories of
| connecting peers. The server chooses which files/directories are sent
| to the client. However, the rsync client performs insufficient
| validation of file names. A malicious rsync server (or Man-in-The-
| Middle attacker) can overwrite arbitrary files in the rsync client
| target directory and subdirectories (for example, overwrite the
| .ssh/authorized_keys file).
IMHO the issue does not warrant a DSA, but can be fixed at a point
release time. Note that apart the initial commit mentioned in the
oss-security post there were additional commits done upstream around
that.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-29154
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154
[1] https://www.openwall.com/lists/oss-security/2022/08/02/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rsync
Source-Version: 3.2.5-1
Done: Samuel Henrique <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Samuel Henrique <[email protected]> (supplier of updated rsync package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Aug 2022 11:03:48 +0100
Source: rsync
Architecture: source
Version: 3.2.5-1
Distribution: unstable
Urgency: medium
Maintainer: Paul Slootman <[email protected]>
Changed-By: Samuel Henrique <[email protected]>
Closes: 1009981 1016543
Changes:
rsync (3.2.5-1) unstable; urgency=medium
.
* New upstream version 3.2.5
- Added some file-list safety checking that helps to ensure that a rogue
sending rsync can't add unrequested top-level names and/or include
recursive names that should have been excluded by the sender. These
extra safety checks only require the receiver rsync to be updated. When
dealing with an untrusted sending host, it is safest to copy into a
dedicated destination directory for the remote content (i.e. don't copy
into a destination directory that contains files that aren't from the
remote host unless you trust the remote host)
(closes: #1016543, CVE-2022-29154).
- The build date that goes into the manpages is now based on the
developer's release date, not on the build's local-timezone
interpretation of the date (closes: #1009981)
Checksums-Sha1:
061ba53c8da88009921a89dc64c639f9858a09b4 2276 rsync_3.2.5-1.dsc
26baded8871b9e2406add210cdbfa744c94642d2 1129957 rsync_3.2.5.orig.tar.gz
5e066f34f9846b70039af0ce868b2edb667b2d98 195 rsync_3.2.5.orig.tar.gz.asc
4e5a8c93f7a44da9a83b17e2c3e1995fb938affe 25612 rsync_3.2.5-1.debian.tar.xz
b9005c98a54f3c7d7698bffc78becc37ef7b6374 7006 rsync_3.2.5-1_amd64.buildinfo
Checksums-Sha256:
9507370fefafbebedb5970d5720b75edab7c56d263b3775cbc69d02421f8ba5a 2276
rsync_3.2.5-1.dsc
2ac4d21635cdf791867bc377c35ca6dda7f50d919a58be45057fd51600c69aba 1129957
rsync_3.2.5.orig.tar.gz
bd2ea7f1a057043c09797c18a5a18a78dcf453e11fbbdf8354a39eca1e67c9cc 195
rsync_3.2.5.orig.tar.gz.asc
b5494c5138dd35aaad2c8939fdc49ca997baa618c3583834eb4e378e9fd0194d 25612
rsync_3.2.5-1.debian.tar.xz
786af16f711ca89eb74923a8dbf67bde5130dfcca009d78cbeea99d0c179f6b8 7006
rsync_3.2.5-1_amd64.buildinfo
Files:
de9e68d24b8f3c5bbd70340df7d6f423 2276 net optional rsync_3.2.5-1.dsc
2fd61dfd76d39098c3be6eb5d54bb633 1129957 net optional rsync_3.2.5.orig.tar.gz
ed2438496f401c3eff8979e3263e2515 195 net optional rsync_3.2.5.orig.tar.gz.asc
28cc7d3e1bd45f63894ff37f7f17abfb 25612 net optional rsync_3.2.5-1.debian.tar.xz
428c1f840fccf91a82897cfb1a3c3b22 7006 net optional
rsync_3.2.5-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmL7cF0ACgkQu6n6rcz7
RwdaQQ/+LYFjs9dFSFZz/QorZ5urdlwTJMQON4opV6nCxBLWXWPXOyTXReA+aVjD
QG6aMDlms7BE0AB3cWhb6i5UySuTqxrbTesRJTh2jf+Sc3HL3jPdKL5s8YJ0Q/bU
Elaz/X+DC+mB8FnxrBJgPdMjhqQsARDXiAME28WwiOm5NjjLnqZoJZTp0fo6T42O
DTLx2146K+DCTbAUMwBc7+0Awx4WF+Grq62TX6a3WXP43egSmdHaqpKHmQN1emdw
tK6FngjxlhBm3yPOHhvJW5oylNEXnQ1KK7QPYi0RyjU0e/kh+nMUQefQK8ncxNDf
LHE3C6kQh9Ark3qFAKU+hUIjKXaMQkrf4tVwHxFZFAke70jC6p9In2aJorNa5ppM
aU85vMNshav99VDVdenevIv8P16yM5xResmK3aabgIXzCMYF2tv9Ofod49F2DT3L
rOEL6F5E2PHyjAgLNV66GTPNKNtEhv1B4asbRx/ZsHtf3CXLDiRqDT5+V7v7zlNu
XddRFM6bJH/GRS8ScACfdPlKFuQxCfvj+XSZQQsw3bWM2pIswDl3hMR7wmsLu+N9
PN5uwXljxqjFvof9/sNGcYeyOkRQRVbsTB/oO5FFItZ06YIqvM3wpJCjHMm1uMKa
yqw3wQDLku7AXWFn6XpTAB1WrvfocYfWpPykTlO+VykwOrxV69c=
=dVEm
-----END PGP SIGNATURE-----
--- End Message ---
