Ubuntu has issued an advisory today (February 25): https://usn.ubuntu.com/4292-1/ These issues were fixed in our zlib package in Bug 19529, but because rsync was changed to not use the system zlib in Bug 13669, rsync is still vulnerable. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Assigning globally in the light of no evident packager for 'rsync'; CC Marc who committed the last significant change.
Assignee: bugsquad => pkg-bugsCC: (none) => mageia
if no one complains, I would change this back to use external zlib, which is now supported. If this breaks old arch packages, it is possible to disable compression. I think we should prefer security over compatibility (and version 3.1 is released for some time)
(In reply to Marc Krämer from comment #2) > if no one complains, I would change this back to use external zlib Please do so, we have waited too long.
CC: (none) => lists.jjorge
Updated rsync packages fix security vulnerabilities: It was discovered that rsync incorrectly handled pointer arithmetic in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code. [1,2] It was discovered that rsync incorrectly handled vectors involving left shifts of negative integers in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code. [3] It was discovered that rsync incorrectly handled vectors involving big-endian CRC calculation in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code. [4] Please note, we now compile against system zlib. If rsync fails to sync with older remote systems using compression (-z), you have either update the remote host to a newer version or disable compression. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843 ======================== Updated packages in core/updates_testing: ======================== rsync-3.1.3-4.mga7 rsync-debugsource-3.1.3-4.mga7 rsync-debuginfo-3.1.3-4.mga7 SRPM: rsync-3.1.3-4.mga7.src.rpm
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)Assignee: pkg-bugs => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues Used rsync to transfer a bunch of folders and documents from my desktop in the LAN to this laptop: all OK.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0108.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED