-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : rsync Version : 3.1.1-3+deb8u2 CVE ID : CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 CVE-2018-5764
Trail of Bits used the automated vulnerability discovery tools developed for the DARPA Cyber Grand Challenge to audit zlib. As rsync, a fast, versatile, remote (and local) file-copying tool, uses an embedded copy of zlib, those issues are also present in rsync.
CVE-2016-9840 In order to avoid undefined behavior, remove offset pointer optimization, as this is not compliant with the C standard. CVE-2016-9841 Only use post-increment to be compliant with the C standard. CVE-2016-9842 In order to avoid undefined behavior, do not shift negative values, as this is not compliant with the C standard. CVE-2016-9843 In order to avoid undefined behavior, do not pre-decrement a pointer in big-endian CRC calculation, as this is not compliant with the C standard. CVE-2018-5764 Prevent remote attackers from being able to bypass the argument-sanitization protection mechanism by ignoring --protect-args when already sent by client. For Debian 8 "Jessie", these problems have been fixed in version 3.1.1-3+deb8u2. We recommend that you upgrade your rsync packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlyX+ylfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEd2pQ//TtCnHozTv2geDIs3msDvt/S0Rn0gPuXrlXWdpmXkXIrE8olPexHxSx16 BSC4UQI3b7BytIGy7KSANGRHjBpQIwbVbW/jSqKAiM2MAzjEqJi7hjljs8G/oOVa rEA7T2FflszlSsdbUE2zLbjJ81YCOXDYZ3nduoHJYXOPTbq7lLk0klENxXovHJ+4 3vy8wf9iF8o8Gfy78a/nvCehfqzCCCbgiCRKClEBDHNuZ23IEXkYBW8T+caDtorI /CgqCdjNwV6J3x/F6g38rol5NYQ/ZlvS8Dc1hf6gwsr9JvVu8NuzECC9GoXa5Xmv XSbkUJegDB3HjFn3TzIUfU+ZMhJ2zRgg0NJHHMyIfZlMWtlVla+KmicUQ0ZIjEyM axRJZuG2NNjUH7knzP3mrCWBpPYXvcx23YI5byf9gyqR/bioU6+rz8zg/cP7fXWb YBWbAuDzujilrUOqkQvjCt4jXgmydiaDtdLvWOvNejRx2Jhrzd5qrS2vPlRAWhD1 6wsCdZvXbBFw0wO/rH5dMLxiCfhZwk2VDEi+T0BH+eamRZhWpYM3QkJua+Sb9y9M GYdyf5iMDKLENVhJyd+nBFTSewAnL2r/ADmuHYpV2wkNGzUVJuQtLSxqQ4wmm6Pi DNZKEImAxMHasdluy6hHZCNOe75XxQk4boyuPcHdPOa8S9vc9jU= =Df1t -----END PGP SIGNATURE-----