Bug 13214

Tested on mga4  32 and 64bit.

CC: (none) => napcok
Whiteboard: (none) => mga4-64-ok mga4-32-ok

Thanks Daniel

Advisory uploaded. Validating.

Could sysadmin please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: mga4-64-ok mga4-32-ok => advisory mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Update pushed:
http://advisories.mageia.org/MGASA-2014-0179.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Not fixed, due to improper usage of the setup macro, re-extracting the tarball after the patches were applied.

Fixed package uploaded for Mageia 4.

Advisory:
========================

Updated rsync package fixes security vulnerability:

Ryan Finnie discovered that rsync 3.1.0 contains a denial of service issue
when attempting to authenticate using a nonexistent username. A remote
attacker could use this flaw to cause a denial of service via CPU consumption
(CVE-2014-2855).

The previous update for this issue in MGASA-2014-0179 failed to properly apply
the needed patch, so the package has been rebuilt to address this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2855
http://openwall.com/lists/oss-security/2014/04/15/1
http://advisories.mageia.org/MGASA-2014-0179.html
========================

Updated packages in core/updates_testing:
========================
rsync-3.1.0-4.3.mga4

from rsync-3.1.0-4.3.mga4.src.rpm

Keywords: validated_update => (none)
Status: RESOLVED => REOPENED
Resolution: FIXED => (none)
Whiteboard: advisory mga4-64-ok mga4-32-ok => (none)

I've used rsync to update my local Mageia 4 mirror at work with the newest updates pushed today.  I also run an rsync server on that machine, and I re-synced the local copy of the Mageia 4 mirror on my workstation from that, so I've tested the client and server parts of rsync and it worked fine.  I haven't tested authentication.  I'm using Mageia 4 i586.

Testing on Mageia 4x64 real hardware,

rsync-3.1.0-4.3.mga4.x86_64

Used testing package of rsync to resync mageia5 beta3 to round 4.

No problems encountered.

CC: (none) => olchal

Testing complete mga4 32 & 64

Configured server with authentication..

man rsynd.conf gives details but googled for examples.


# cat /etc/rsyncd.conf
 use chroot = yes
 max connections = 4
 pid file = /var/run/rsyncd.pid
 exclude = lost+found/
 transfer logging = yes
 timeout = 900
 ignore nonreadable = yes
 dont compress   = *.gz *.tgz *.zip *.z *.Z *.rpm *.deb *.bz2

[pub]
        path = /some/path/to/serve
        auth users = qatest
        secrets file = /etc/rsyncsecrets


# cat /etc/rsyncsecrets 
qatest:somepassword

the secrets file has to be restricted access..

# chmod 600 /etc/rsyncsecrets

# systemctl start rsyncd.service

# systemctl status rsyncd.service   
rsyncd.service - fast remote file copy program daemon
   Loaded: loaded (/usr/lib/systemd/system/rsyncd.service; disabled)
   Active: active (running) since Fri 2015-02-13 13:14:24 GMT; 4s ago
 Main PID: 10651 (rsync)
   CGroup: /system.slice/rsyncd.service
           ââ10651 /usr/bin/rsync --daemon --no-detach


Then accessed the server to sync the directory being served to a test directory.

$ cd test
$ RSYNC_PASSWORD="somepassword" rsync -avHP rsync://qatest@localhost/pub/ .
receiving incremental file list

...etc

sent 360 bytes  received 543,890 bytes  1,088,500.00 bytes/sec
total size is 542,544  speedup is 1.00

# systemctl stop rsyncd.service

Whiteboard: (none) => mga4-32-ok mga4-64-ok

Validating.

Advisory updated. Previous ID removed.

This one requires manual push/email please.

Thanks

Keywords: (none) => validated_update
Whiteboard: mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0065.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED