A security issue in rsync has been announced today (August 2): https://seclists.org/oss-sec/2022/q3/77 The issue will be fixed in 3.2.5. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
openwall version of the URL: https://www.openwall.com/lists/oss-security/2022/08/02/1
Obliged to assign this globally, no one packager in evidence.
Assignee: bugsquad => pkg-bugs
openSUSE has issued an advisory for this on August 16: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OZDMOCCGHF4NPIRQFQC2LBFH6YXI6QMU/ Stig-Ørjan has updated Cauldron to 3.2.5.
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)Status comment: (none) => Fixed upstream in 3.2.5CC: (none) => smelror
Suggested advisory: ======================== The updated package fixes a security vulnerability: An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file). (CVE-2022-29154) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154 https://seclists.org/oss-sec/2022/q3/77 https://www.openwall.com/lists/oss-security/2022/08/02/1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OZDMOCCGHF4NPIRQFQC2LBFH6YXI6QMU/ ======================== Updated package in core/updates_testing: ======================== rsync-3.2.2-2.1.mga8 from SRPM: rsync-3.2.2-2.1.mga8.src.rpm
Source RPM: rsync-3.2.4-1.mga9.src.rpm => rsync-3.2.2-2.mga8.src.rpmCVE: (none) => CVE-2022-29154Status comment: Fixed upstream in 3.2.5 => (none)Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salguero
No installation issues. Tested with Qarepo set to use an "rsync" mirror for downloading. Downloaded core versions of a package for testing, then after the test downloaded tainted versions. No issues noted. Giving this an OK, and validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0302.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED