New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Critical Rsync Vulnerability Requires Immediate Patching on Linux and Unix systems
The rsync utility in Linux, *BSD, and Unix-like systems are vulnerable to multiple security issues, including arbitrary code execution, arbitrary file upload, information disclosure, and privilege escalation. Hence, you must patch the system ASAP
Comments
You have to highlight that this is rsyncd, so "server" not client.. Which means 99% of people here are safe
It appears that the heap buffer overflow is in the checksum handling. rysncd makes it remote exploitable. OTOH, if you're rsync unknown/adversarial data locally, you could be pwned as well.
If you are not running rsync daemon - you are ok. Rsync - tool, rsyncd - daemon.
Why would you even run the rsync daemon? What is the use case?
Well, it is a service running in a background and does not require ssh connection to operate. Rsync is a one off command tool.
The daemon permits to configure accounts and their permissions independently from the system's accounts. Also allows to configure read-only accounts that cannot upload or alter files.
Yes, mostly this, very useful for pull backups where you can also fine tune access rights and exclusion lists that cannot be overridden from the client side.
I bind rsyncd only over VPN interfaces so less concerned about the issue than others might be.
Linux mirror sync, imagine you're running an upstream and some downstreams are trying to run rsync with you