Source: rsync Version: 3.4.1+ds1-6 Severity: normal Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for rsync. CVE-2025-10158[0]: | A malicious client acting as the receiver of an rsync file transfer | can trigger an out of bounds read of a heap based buffer, via a | negative array index. The malicious rsync client requires at | least read access to the remote rsync module in order to trigger the | issue. My understanding of the change, the commit description and issue description seesm that this is not really dramatic. Still filling to have a tracking reference of the bug (wich has a CVE associated). IMHO can be either fixed via cherry-picking the fix for unstable or waiting for a new upstream version including it. For trixie and bookworm we have marked the CVE as no-dsa. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-10158 https://www.cve.org/CVERecord?id=CVE-2025-10158 [1] https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f Please adjust the affected versions in the BTS as needed. Regards, Salvatore
