On Thu 04 Dec 2003, Paul Haas wrote: > > On Thu 04 Dec 2003, Martin Pool wrote: > > > > > > - rsync version 2.5.6 contains a heap overflow vulnerability that can > > > be used to remotely run arbitrary code. > > > > Is this specific to 2.5.6, or are earlier versions also vulnerable? > > Important detail, as it makes the difference between needing to upgrade > > older rsync's as well, or only those that are 2.5.6... As Debian > > provides security patches for the stable release (which contains rsync > > 2.5.5), I'm wondering whether an update for that is necessary. > > Sure looks necessary to me.
Thanks. The Debian security team are working on a fixed 2.5.5 for "stable" now. In fact, it's done, but needs to be built on all the architectures that Debian supports before an announcement can go out. I've also built 2.5.7 for unstable/testing, but as at this time nothing is being installed into the archives (due to the earlier compromise), it won't be available for at least a couple of days :-( In the meantime, interested parties may download http://www.wurtel.cistron.nl/rsync_2.5.7-1_i386.deb (md5sum 985e720f7502c2df9685a2202d36692d) and install that with dpkg -i taking into account its dependencies: libc6 (>= 2.3.2.ds1-4), libpopt0 (>= 1.7) Paul Slootman
signature.asc
Description: Digital signature
-- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
