A CVE has been allocated for a DoS issue fixed upstream in rsync: http://openwall.com/lists/oss-security/2014/04/15/1 Patched packages uploaded for Mageia 4 and Cauldron. Mageia 3 is not affected as only rsync version 3.1.0 is vulnerable. Advisory: ======================== Updated rsync package fixes security vulnerability: Ryan Finnie discovered that rsync 3.1.0 contains a denial of service issue when attempting to authenticate using a nonexistent username. A remote attacker could use this flaw to cause a denial of service via CPU consumption (CVE-2014-2855). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2855 http://openwall.com/lists/oss-security/2014/04/15/1 ======================== Updated packages in core/updates_testing: ======================== rsync-3.1.0-4.2.mga4 from rsync-3.1.0-4.2.mga4.src.rpm Reproducible: Steps to Reproduce:
Tested on mga4 32 and 64bit.
CC: (none) => napcokWhiteboard: (none) => mga4-64-ok mga4-32-ok
Thanks Daniel Advisory uploaded. Validating. Could sysadmin please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: mga4-64-ok mga4-32-ok => advisory mga4-64-ok mga4-32-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0179.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/595446/
Not fixed, due to improper usage of the setup macro, re-extracting the tarball after the patches were applied. Fixed package uploaded for Mageia 4. Advisory: ======================== Updated rsync package fixes security vulnerability: Ryan Finnie discovered that rsync 3.1.0 contains a denial of service issue when attempting to authenticate using a nonexistent username. A remote attacker could use this flaw to cause a denial of service via CPU consumption (CVE-2014-2855). The previous update for this issue in MGASA-2014-0179 failed to properly apply the needed patch, so the package has been rebuilt to address this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2855 http://openwall.com/lists/oss-security/2014/04/15/1 http://advisories.mageia.org/MGASA-2014-0179.html ======================== Updated packages in core/updates_testing: ======================== rsync-3.1.0-4.3.mga4 from rsync-3.1.0-4.3.mga4.src.rpm
Keywords: validated_update => (none)Status: RESOLVED => REOPENEDResolution: FIXED => (none)Whiteboard: advisory mga4-64-ok mga4-32-ok => (none)
I've used rsync to update my local Mageia 4 mirror at work with the newest updates pushed today. I also run an rsync server on that machine, and I re-synced the local copy of the Mageia 4 mirror on my workstation from that, so I've tested the client and server parts of rsync and it worked fine. I haven't tested authentication. I'm using Mageia 4 i586.
Testing on Mageia 4x64 real hardware, rsync-3.1.0-4.3.mga4.x86_64 Used testing package of rsync to resync mageia5 beta3 to round 4. No problems encountered.
CC: (none) => olchal
Testing complete mga4 32 & 64 Configured server with authentication.. man rsynd.conf gives details but googled for examples. # cat /etc/rsyncd.conf use chroot = yes max connections = 4 pid file = /var/run/rsyncd.pid exclude = lost+found/ transfer logging = yes timeout = 900 ignore nonreadable = yes dont compress = *.gz *.tgz *.zip *.z *.Z *.rpm *.deb *.bz2 [pub] path = /some/path/to/serve auth users = qatest secrets file = /etc/rsyncsecrets # cat /etc/rsyncsecrets qatest:somepassword the secrets file has to be restricted access.. # chmod 600 /etc/rsyncsecrets # systemctl start rsyncd.service # systemctl status rsyncd.service rsyncd.service - fast remote file copy program daemon Loaded: loaded (/usr/lib/systemd/system/rsyncd.service; disabled) Active: active (running) since Fri 2015-02-13 13:14:24 GMT; 4s ago Main PID: 10651 (rsync) CGroup: /system.slice/rsyncd.service ââ10651 /usr/bin/rsync --daemon --no-detach Then accessed the server to sync the directory being served to a test directory. $ cd test $ RSYNC_PASSWORD="somepassword" rsync -avHP rsync://qatest@localhost/pub/ . receiving incremental file list ...etc sent 360 bytes received 543,890 bytes 1,088,500.00 bytes/sec total size is 542,544 speedup is 1.00 # systemctl stop rsyncd.service
Whiteboard: (none) => mga4-32-ok mga4-64-ok
Validating. Advisory updated. Previous ID removed. This one requires manual push/email please. Thanks
Keywords: (none) => validated_updateWhiteboard: mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0065.html
Status: REOPENED => RESOLVEDResolution: (none) => FIXED