-
rsync (3.1.1-3ubuntu1.3) xenial-security; urgency=medium
* SECURITY UPDATE: improper pointer arithmetic might allow
context-dependent attackers to have unspecified impact
- debian/patches/CVE-2016-9840.patch: remove offset pointer optimization
in inftrees.c.
- CVE-2016-9840
* SECURITY UPDATE: improper pointer arithmetic might allow
context-dependent attackers to have unspecified impact
- debian/patches/CVE-2016-9841.patch: use post-increment only in inffast.c.
- CVE-2016-9841
* SECURITY UPDATE: vectors involving left shifts of negative integers might
allow context-dependent attackers to have unspecified impact
- debian/patches/CVE-2016-9842_1.patch: avoid shifts of negative values in
inflateMark().
- debian/patches/CVE-2016-9842_2.patch: avoid casting an out-of-range
value to long.
- CVE-2016-9842
* SECURITY UPDATE: vectors involving big-endian CRC calculation might allow
context-dependent attackers to have unspecified impact
- debian/patches/CVE-2016-9843.patch: avoid pre-decrement of pointer in
big-endian CRC calculation.
- CVE-2016-9843
-- Avital Ostromich <email address hidden> Thu, 13 Feb 2020 17:48:27 -0500
-
rsync (3.1.1-3ubuntu1.2) xenial-security; urgency=medium
* SECURITY UPDATE: receive_xattr function does not check
for '\0' character allowing denial of service attacks
- debian/patches/CVE-2017-16548.patch: enforce trailing
\0 when receiving xattr values in xattrs.c.
- CVE-2017-16548
* SECURITY UPDATE: Allows remote attacker to bypass argument
- debian/patches/CVE-2018-5764.patch: Ignore --protect-args
when already sent by client in options.c.
- CVE-2018-5764
-- <email address hidden> (Leonidas S. Barbosa) Thu, 18 Jan 2018 17:27:59 -0300
-
rsync (3.1.1-3ubuntu1.1) xenial-security; urgency=medium
* SECURITY UPDATE: bypass intended access restrictions
- debian/patches/CVE-2017-17433.patch: check fname in
recv_files sooner in receiver.c.
- CVE-2017-17433
* SECURITY UPDATE: not check for fnamecmp filenames and
does not apply sanitize_paths
- debian/patches/CVE-2017-17434-part1.patch: check daemon
filter against fnamecmp in receiver.c.
- debian/patches/CVE-2017-17434-part2.patch: sanitize xname
in rsync.c.
- CVE-2017-17434
-- <email address hidden> (Leonidas S. Barbosa) Wed, 06 Dec 2017 11:07:22 -0300
-
rsync (3.1.1-3ubuntu1) xenial; urgency=medium
* SECURITY UPDATE: incomplete fix for rsync path spoofing attack
- debian/patches/CVE-2014-9512-2.diff: add parent-dir validation for
--no-inc-recurse too in flist.c, generator.c.
- CVE-2014-9512
-- Marc Deslauriers <email address hidden> Tue, 19 Jan 2016 14:58:35 -0500
-
rsync (3.1.1-3) unstable; urgency=medium
* Added patch for CVE-2014-9512, Rsync path spoofing attack vulnerability.
closes:#778333
-- Paul Slootman <email address hidden> Sat, 07 Mar 2015 15:45:05 +0100