Debian has issued an advisory on December 17: https://www.debian.org/security/2017/dsa-4068 The Debian page about the CVE has a link to the upstream commit to fix it: https://security-tracker.debian.org/tracker/CVE-2017-16548 Mageia 5 and Mageia 6 are also affected.
Severity: normal => criticalWhiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11, nicolas.salgueroAssignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability: The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon. (CVE-2017-16548) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16548 https://www.debian.org/security/2017/dsa-4068 ======================== Updated package in 5/core/updates_testing: ======================== rsync-3.1.1-5.3.mga5 from SRPMS: rsync-3.1.1-5.3.mga5.src.rpm Updated package in 6/core/updates_testing: ======================== rsync-3.1.2-1.2.mga6 from SRPMS: rsync-3.1.2-1.2.mga6.src.rpm
Status: NEW => ASSIGNEDCVE: (none) => CVE-2017-16548Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Mageia 5 :: x86_64 Updated the package. Used rsync to copy a text file from one machine to another on the LAN. Edited the file then moved to the other machine and synchronized a copy of the original file with the remote file and then used diff to show the differences between the original and the rsynced file. All in order. Changed directory to the Mageia-6-LiveDVD-Xfce-i586-DVD directory and ran the command: $ RSYNC_PASSWORD="<password>" rsync -avHP rsync://isoqa@bcd.mageia.org/isos/mageia6/Mageia-6-LiveDVD-Xfce-i586-DVD/ . receiving incremental file list sent 20 bytes received 379 bytes 266.00 bytes/sec total size is 1,984,052,071 speedup is 4,972,561.58 which is expected. This is fine for mga5::x86_64.
CC: (none) => tarazed25Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
Mageia 6 :: x86_64 Installed the update and ran similar tests to those in comment 3 using rsync to download remote files, overwrite local files and synchronize a Mageia iso. No regressions. Passing this for mga6 on 64-bit architecture.
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
Thanks Len for both your rapid tests. Validating + advisory.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0459.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED