Debian has issued an advisory on December 17:
The Debian page about the CVE has a link to the upstream commit to fix it:
Mageia 5 and Mageia 6 are also affected.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
The updated package fixes a security vulnerability:
The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon. (CVE-2017-16548)
Updated package in 5/core/updates_testing:
Updated package in 6/core/updates_testing:
MGA6TOO, MGA5TOO =>
Mageia 5 :: x86_64
Updated the package.
Used rsync to copy a text file from one machine to another on the LAN.
Edited the file then moved to the other machine and synchronized a copy of the original file with the remote file and then used diff to show the differences between the original and the rsynced file. All in order.
Changed directory to the Mageia-6-LiveDVD-Xfce-i586-DVD directory and ran the command:
$ RSYNC_PASSWORD="<password>" rsync -avHP rsync://email@example.com/isos/mageia6/Mageia-6-LiveDVD-Xfce-i586-DVD/ .
receiving incremental file list
sent 20 bytes received 379 bytes 266.00 bytes/sec
total size is 1,984,052,071 speedup is 4,972,561.58
which is expected.
This is fine for mga5::x86_64.
Mageia 6 :: x86_64
Installed the update and ran similar tests to those in comment 3 using rsync to download remote files, overwrite local files and synchronize a Mageia iso.
Passing this for mga6 on 64-bit architecture.
MGA5TOO MGA5-64-OK =>
MGA5TOO MGA5-64-OK MGA6-64-OK
Thanks Len for both your rapid tests. Validating + advisory.
An update for this issue has been pushed to the Mageia Updates repository.