El 19/02/2019 a las 17:44, Russ Allbery escribió:
> Roman Medina-Heigl Hernandez writes:
>
> So you cannot overwrite /home/synology/rsyncd.conf.
> Can the client just do:
>
> rsync rsyncd.conf :./
>
You're right, I was wrong. It's game over :)
> I think to make this safe the home directory
Roman Medina-Heigl Hernandez writes:
> Well, in my case I had the following setting in rsyncd.conf:
> path = /backup/synology
> where path points to a different directory which is NOT $home nor
> doesn't permit to reach $home.
> So you cannot overwrite /home/synology/rsyncd.conf.
Can the
El 19/02/2019 a las 4:16, Russ Allbery escribió:
> Unfortunately, I took a closer look, and it turns out that this command
> was never safe. It also allows arbitrary code excution on the server
> side if the client can write to $HOME. This is because:
>
>--config=FILE
> This
Hi Russ,
> I've not done an LTS security upload before, but it looks from the wiki
> that it uses the same security-master process as stable security updates.
> Please let me know if that's wrong.
This is mostly correct, yep! I made the following the changes to
your jessie diff:
- * The fix
Russ Allbery writes:
> I'll follow up with the proposed diffs for stable and oldstable.
Here are the proposed diffs for stable and oldstable. The stable diff
just fixes the libssh2 interoperability regression. The oldstable diff
fixes both that and the regression with downloading multiple
Roman Medina-Heigl Hernandez writes:
> El 18/02/2019 a las 18:27, Russ Allbery escribió:
>> While I agree that using undocumented features of rsync is a little
>> dubious, I'm also willing to include a fix to allow the specific
>> command line "rsync --server --daemon " since (a) it seems to be
Antoine Beaupré wrote:
> > Does this plan sound good to everyone? I'll follow up with the proposed
> > diffs for stable and oldstable.
>
> Works for me (LTS), although I won't be the one performing the upgrade
> (I've unclaimed the package for other reasons).
Works for me too and happy to take
On 2019-02-18 09:27:37, Russ Allbery wrote:
> Does this plan sound good to everyone? I'll follow up with the proposed
> diffs for stable and oldstable.
Works for me (LTS), although I won't be the one performing the upgrade
(I've unclaimed the package for other reasons).
Thanks for your work!
El 18/02/2019 a las 18:27, Russ Allbery escribió:
> While I agree that using undocumented features of rsync is a little
> dubious, I'm also willing to include a fix to allow the specific command
> line "rsync --server --daemon " since (a) it seems to be safe, (b)
> looks easy enough to do, and (c)
Antoine Beaupré writes:
> That said, if we do fix this in jessie, we should do it at the same time
> as the regression identified in stretch (DSA-4377-2).
> Russ, do you want to handle the Jessie update or should the LTS team do
> it?
> Should we wait for resolution on this issue before
On Thu, Feb 14, 2019 at 10:08:40AM -0800, Russ Allbery wrote:
> Unfortunately, so far as I can tell, --server --daemon is not
> even documented in the rsync man page as something you can do (I certainly
> didn't know about its existence before this string of CVEs), so it's
> pretty hard to figure
On 2019-02-14 10:08:40, Russ Allbery wrote:
> Roman Medina-Heigl Hernandez writes:
>
>> Added Russ (rssh maintainer).
>
>> I cannot probe it but I guess chances are high that the issue is present
>> both in stable and oldstable (I cannot find a good reason to filter
>> different commands:
Roman Medina-Heigl Hernandez writes:
> Added Russ (rssh maintainer).
> I cannot probe it but I guess chances are high that the issue is present
> both in stable and oldstable (I cannot find a good reason to filter
> different commands: solution should be the same or very similar) so I'm
> still
Added Russ (rssh maintainer).
I cannot probe it but I guess chances are high that the issue is present
both in stable and oldstable (I cannot find a good reason to filter
different commands: solution should be the same or very similar) so I'm
still keeping debian-security in the loop.
PS: Thx
[debian-secur...@lists.debian.org → Bcc]
Holger Levsen wrote:
> > I applied recent rssh security updates to Debian 8 (jessie) and I
> > noticed that it breaks Synology's "Hyper backup" tool (with rsync method).
> >
> > Feb 10 03:28:21 roman rssh[19985]: cmd 'rsync' approved
> > Feb 10 03:28:21
Hi Roman,
the security team is not responsible for Debian LTS, I've thus added
debian-lts@lists.d.o to the mail recipients, so that they become aware
of your issue.
On Thu, Feb 14, 2019 at 06:06:34PM +0100, Roman Medina-Heigl Hernandez wrote:
> Hi security-fellows,
>
> I applied recent rssh
16 matches
Mail list logo
