| VID |
23047 |
| Severity |
40 |
| Port |
873 |
| Protocol |
TCP |
| Class |
RSYNCD |
| Detailed Description |
The rsync server, according to its version number, is vulnerable to a heap overflow. Included in most distributions of Linux, rsync is a popular tool for synchronizing files across multiple hosts. Though not enabled in the default configuration, rsync can be run as a daemon to facilitate the distribution of files to FTP mirror sites. rsync versions prior to 2.5.7 are vulnerable to a heap overflow, caused by improper bounds checking. Exploitation of this vulnerability could lead to the corruption of the stack, and possibly to execution of arbitrary code as the root user.
* Note: This check solely relied on the version number of the remote rsync server to assess this vulnerability, so this might be a false positive.
* References:
http://www.secunia.com/advisories/10353/
http://www.securityfocus.com/archive/1/346461
* Platforms Affected:
rsync prior to 2.5.7
UNIX Any version
Linux Any version |
| Recommendation |
Upgrade to the latest version of rsync (2.5.7 or later), available from the rsync download Web page at http://samba.org/rsync/download.html
For Red Hat Linux:
Upgrade to the latest rsync package, as listed in Red Hat Security Advisory RHSA-2003:398-07 at https://rhn.redhat.com/errata/RHSA-2003-398.html
For SuSE Linux:
Upgrade to the latest rsync package, as listed in SuSE Security Announcement SuSE-SA:2003:050 at http://www.linuxsecurity.com/advisories/suse_advisory-3837.html
For Slackware Linux:
Upgrade to the latest rsync package, as listed in slackware-security Mailing List, Wed, 3 Dec 2003 at http://www.slackware.com/security/viewer.php?l=slackware-security&y=2003&m=slackware-security.399741
For Trustix Secure Linux 1.2, 1.5, and 2.0:
Upgrade to the latest rsync package (2.5.7-1tr or later), as listed in Trustix Secure Linux Security Advisory #2003-0048 at http://www.trustix.org/errata/misc/2003/TSL-2003-0048-rsync.asc.txt
For Conectiva Linux:
Upgrade to the latest rsync package, as listed in Conectiva Linux Security Announcement CLSA-2003:794 at http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000794
For Mandrake Linux:
Upgrade to the latest rsync package, as listed in MandrakeSoft Security Advisory MDKSA-2003:111 at http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:111
For OpenPKG:
Upgrade to the latest rsync package, as listed in OpenPKG Security Advisory OpenPKG-SA-2003.051 at http://www.openpkg.org/security/OpenPKG-SA-2003.051-rsync.html
For Turbolinux:
Upgrade to the latest rsync package (2.5.7-1 or later), as listed in Turbolinux Security Advisory TLSA-2003-67 at http://www.turbolinux.com/security/TLSA-2003-67.txt
For Immunix:
Upgrade to the latest rsync package, as listed in Immunix Secured OS Security Advisory IMNX-2003-73-001-01 at http://www.linuxsecurity.com/advisories/immunix_advisory-3854.html
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2003-0962 (CVE) |
| Related URL |
9153 (SecurityFocus) |
| Related URL |
13899 (ISS) |
|
