Your message dated Fri, 28 Nov 2025 01:04:27 +0000
with message-id <[email protected]>
and subject line Bug#1121442: fixed in rsync 3.4.1+ds1-7
has caused the Debian Bug report #1121442,
regarding rsync: CVE-2025-10158
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121442: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121442
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rsync
Version: 3.4.1+ds1-6
Severity: normal
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rsync.
CVE-2025-10158[0]:
| A malicious client acting as the receiver of an rsync file transfer
| can trigger an out of bounds read of a heap based buffer, via a
| negative array index. The malicious rsync client requires at
| least read access to the remote rsync module in order to trigger the
| issue.
My understanding of the change, the commit description and issue
description seesm that this is not really dramatic. Still filling to
have a tracking reference of the bug (wich has a CVE associated).
IMHO can be either fixed via cherry-picking the fix for unstable or
waiting for a new upstream version including it. For trixie and
bookworm we have marked the CVE as no-dsa.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-10158
https://www.cve.org/CVERecord?id=CVE-2025-10158
[1]
https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rsync
Source-Version: 3.4.1+ds1-7
Done: Matheus Polkorny <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matheus Polkorny <[email protected]> (supplier of updated rsync package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 27 Nov 2025 21:01:55 -0300
Source: rsync
Architecture: source
Version: 3.4.1+ds1-7
Distribution: unstable
Urgency: medium
Maintainer: Samuel Henrique <[email protected]>
Changed-By: Matheus Polkorny <[email protected]>
Closes: 1121442
Changes:
rsync (3.4.1+ds1-7) unstable; urgency=medium
.
* Team upload.
.
[ Arnaud Rebillout ]
* d/control: Switch back to python3-cmarkgfm for all architectures
.
[ Matheus Polkorny ]
* d/p/CVE-2025-10158.patch: Import upstream patch to fix CVE-2025-10158
.
A malicious client acting as the receiver of an rsync file transfer
can trigger an out of bounds read of a heap based buffer,
via a negative array index. (Closes: #1121442)
Checksums-Sha1:
b622433489f1e2f71fa9f88dc6b93c1a736ecf29 2156 rsync_3.4.1+ds1-7.dsc
35231ad8772e36db7a024a6c086bdc61e4349bb1 37352 rsync_3.4.1+ds1-7.debian.tar.xz
910bfb26c8f8a21829ee03a230fb205cb2e8c5d7 6760 rsync_3.4.1+ds1-7_amd64.buildinfo
Checksums-Sha256:
3ef0fe6776d2ba60973a52b6c6acb1b232f4fb78b5b19ce29cabd4f1b9642353 2156
rsync_3.4.1+ds1-7.dsc
1afae79ff3efa55391e2ddf6a92e8df8abefb3acea4cd8219e6684904661d950 37352
rsync_3.4.1+ds1-7.debian.tar.xz
5acadca59602c371510d111c6807dfec470348670f699ce13bfd49a1de706fd3 6760
rsync_3.4.1+ds1-7_amd64.buildinfo
Files:
21c1de727019d30159bd0a94141ed37a 2156 net optional rsync_3.4.1+ds1-7.dsc
d6214a30912afec970f4467305642ca4 37352 net optional
rsync_3.4.1+ds1-7.debian.tar.xz
50ecae422e24875963df35dc3fcca99e 6760 net optional
rsync_3.4.1+ds1-7_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmko8L8ACgkQu6n6rcz7
Rwd5hw/9E8RyBSVBVjhIbWYzWV9hifO+arrNpaIifbgGsjuWXHSyHd1QItwYcsL8
1GTk3SPJOcGcMZva7YM4fhbvR0nL9h82+yCduMqPPUyhhhJdfe4i8hNl9Lq95+z3
BJjhi1t18oV0o9vKndbdiL4/H8aad5c+Fv7C9CZU/B4Lh2G73TS1Oo18Vtdfo+k6
MdnM0Prok9mo7t/JHnGIvXNw+YR4KOPwI+VbHZmOjLuwFkS8USAIoy8Pv7rnwRIt
cN2tNIta47tejdDQ6r/ou/0K+263VOQhbUL1t+MDtltj0qK+6p+eKKDr+dJLd1VZ
11cFrCJikyOvv95j/Ea9PBE59rMIRs/omBU/U/eW391zOdmshfQzPJGo0I9hsBMn
xNebqrUf/hRk8+EBcVifmKB5sR3JFDq8ZDmtukUUqncCQQWcBDgiUPcfNdNSpbv1
lUSwv3AnBeg87OMpaipnxhCPZSXHf4JewTEQSVpCOnh52kyI2SOQdKFmleymvXFm
8IXfrdMXo1mEM4pH8j8xENU+LsVGsbfz/Qp4x2sebWvNuwqqXJAEYP2PUZuLkObU
qbGY7iTgItdOOhX7A7Pi58iEtHW7BE9+GrsDN5C0U0aApkG5MZ0khCasLDJfkL01
34c4P4kv6WO+DiZqwxYiRFSssMBJQZOk5B1GrozWvBLy7GTe+yk=
=ECE4
-----END PGP SIGNATURE-----
pgpjgLjqSKNEC.pgp
Description: PGP signature
--- End Message ---
