Slashdot Mirror

← Back to Stories (view on slashdot.org)

New rsync Released to Fix Vulnerability

Posted by CowboyNeal on from the better-safe-than-sorry dept.

cshields2 writes "Today the rsync developers have released a new version that fixes an exploitable security vulnerability when running rsync as an 'rsync server.' Any server out there running rsync should check this out and upgrade if necessary. (which is every open source mirror server out there, and many mirrors themselves)"

5 of 226 comments (clear)

  1. Gentoo by lisany · · Score: 5, Informative

    This is what got the cracker in (plus the brk kernel thing) into the Gentoo Rsync server. All fixed now tho!

  2. Re:Eh? by uncleFester · · Score: 5, Informative

    Nobody runs rsync as a publicly accessible service anymore.

    oh really?

    i rsync my local copy of slacware-current from carroll.cac.psu.edu. probably half the listed servers on the slack mirrors list (many of which host many other projects besides slack) do rsync. gentoo uses rsync for portage. kernel.org supports rsync for kernel/patch transfers.. as does sourceforge.

    me thinks thou should pull thine head out of thine ass before making such silly comments. for a number of read-only connections, rsync is still quite popular.

    --
    -'fester
  3. FSF Savannah Server Compromised by molo · · Score: 5, Informative

    The FSF Savannah server has been hacked. The statement indicates a similar attack vector as the exploit against the Debian systems. However, it had been hacked nearly a month ago and was not detected until December 1st. For those that are not familar with it, Savannah is the FSF version of Sourceforge, hosting both GNU and non-GNU Free Software projects. It has not yet been determined whether any of the projects' source code has been modified. Read the full statement for details. One thing is certain though, with Debian, Gentoo and now the FSF being exploited in the same month, the open source/free software community is clearly under attack.

    --
    Using your sig line to advertise for friends is lame.
  4. Re:Rsync Protocol Was a Bad Idea by Qzukk · · Score: 5, Informative

    What's the point of another network protocol

    Unlike ssh, rsync daemon doesn't require a user on the host system. Unlike ftp or http, rsync updates by splitting files into blocks and updating changed blocks. Unlike scp, the config file can exclude/include certain files/paths/etc. without requiring the use of filesystem permissions. (it also has password protection).

    Does anyone know of a program similar to rsync

    Nah, there wasn't a point to it.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  5. I would just like to say... by LnxAddct · · Score: 5, Informative

    For all you naysayers who always talk trash about Fedora, I run fedora and debian and fedora alerted me this morning about the problem and patched it in seconds. I updated debian too, but I usually dont update on a daily basis, usually like once a week or something, unless I see something in the news. I would have had no clue about this for about a 3 days if i hadn't read slashdot and didn't have Fedora to alert me. I personally like Debian better for other reasons, but I'm just saying dont bang on Fedora, its a damn good product.