OpenSuSE has issued an advisory today (October 15):
Patched packages uploaded for Mageia 5 and Cauldron.
Updated rsync package fixes security vulnerability:
Michael Samuel discovered that rsync was vulnerable to checksum collisions.
This could prevent rsync from running and syncing files successfully, which
could break various applications that use and rely on rsync (rhbz#1197601).
The patched rsync will now operate in a way that is not vulnerable to this
issue as long as both the rsync client and rsync server support the new 'C'
option that has been added. This issue is similar to an issue in librsync
which was fixed in MGASA-2015-0146.
Steps to Reproduce:
Testing Mag5 x64 real hardware: rsync-3.1.1-5.mga5
Used the release ISOs, for one particular ISO. *Note that between-release directory & file names must be adjusted between steps*. [I have a tool to do this for me. If you want to play this one - be ultra careful: the slightest local/remote name discrepancy will download entire files, rather than synchronising them].
- rsynced my local most recent [final] ISO directory with its equivalent on the server. It was (as expected) up-to date, so nothing happened; correct behaviour. Checksums OK.
- Copied the 'final' *.iso file to a different directory for future reference.
- rsynced the local 'final' ISO directory with the previous release [rc] on the server. It took about 17m with a speedup of 3.17. Checksums OK.
- rsynced the local 'rc' ISO directory with its server 'final' equivalent. It took about 17m with a speedup of 3.15. Checksums OK.
- As an extra check, 'cmp' the original saved 'final' *.iso file with its new local equivalent. No difference.
This was a very thorough test. Update OK.
I tested it with old client and updated server, updated client and old server, and updated client and updated server, and all worked OK. Mageia 5 i586.
advisory MGA5-64-OK =>
MGA5-32-OK MGA5-64-OK advisory
Validating this update
An update for this issue has been pushed to Mageia Updates repository.
LWN entry for the vulnerability in rsync: